[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword not SINGLE-VALUE ?

To: V Alex Brennen <vab@cryptnet.net>
Subject: Re: userPassword not SINGLE-VALUE ?
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Sat, 8 Nov 2003 16:20:40 +0100
Cc: OpenLDAP Software List <openldap-software@OpenLDAP.org>, Ace Suares <ace@suares.nl>
In-reply-to: <Pine.LNX.4.44.0311072156400.32069-100000@cryptnet.net>
References: <200311072022.03973.ace@suares.nl> <Pine.LNX.4.44.0311072156400.32069-100000@cryptnet.net>

V Alex Brennen writes:
>On Fri, 7 Nov 2003, Ace Suares wrote:
> 
>>  - where is attibutetype userPassword defined ?
> 
> It is defined in core.schema.

No, it is hard-coded into slapd, in servers/slapd/schema_prep.c.

> If it is commented out in your installation, you should not have been
> able to add any values for it.

What do you you mean?  It's commented out in core.schema because
it's defined elsewhere, that's all.

>> - if so, how does an application (qmail, proftpd, whatever)
>>   determine which userPassword to use ? Will it always use
>>   'the first' ?

Slapd tries all of them.

> It can be application dependent depending on how the author
> of the application decided to implement the authentication.

Applications shouldn't read and check userPassword at all.  They
shouldn't even be able to: the server should make userPassword
unreadable.  That is, the sysadmin should put something like this in
slapd.conf:

   access to attr=userPassword by * ssf=128 auth

which only gives 'auth' access to userPassword, and that only when TLS
is in use (so users are not encouraged to send plaintext passwords over
the net.)

-- 
Hallvard

References:
- userPassword not SINGLE-VALUE ?
  - From: Ace Suares <ace@suares.nl>
- Re: userPassword not SINGLE-VALUE ?
  - From: V Alex Brennen <vab@cryptnet.net>

Prev by Date: Re: userPassword not SINGLE-VALUE ?
Next by Date: Re: load balancing OpenLDAP
Index(es):
- Chronological
- Thread