[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: userPassword not SINGLE-VALUE ?
V Alex Brennen writes:
>On Fri, 7 Nov 2003, Ace Suares wrote:
>
>> - where is attibutetype userPassword defined ?
>
> It is defined in core.schema.
No, it is hard-coded into slapd, in servers/slapd/schema_prep.c.
> If it is commented out in your installation, you should not have been
> able to add any values for it.
What do you you mean? It's commented out in core.schema because
it's defined elsewhere, that's all.
>> - if so, how does an application (qmail, proftpd, whatever)
>> determine which userPassword to use ? Will it always use
>> 'the first' ?
Slapd tries all of them.
> It can be application dependent depending on how the author
> of the application decided to implement the authentication.
Applications shouldn't read and check userPassword at all. They
shouldn't even be able to: the server should make userPassword
unreadable. That is, the sysadmin should put something like this in
slapd.conf:
access to attr=userPassword by * ssf=128 auth
which only gives 'auth' access to userPassword, and that only when TLS
is in use (so users are not encouraged to send plaintext passwords over
the net.)
--
Hallvard