Re: Multiple passwords. Configurable bind attribute. Etc..

[Erik Forsberg <forsberg+openldap@lysator.liu.se>]

"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> writes:

> At present, slapd(8) itself will only use userPassword to
> verify the directory user's password.  

Would it be possible, using slapo-rwm, to rewrite userPassword to
another attribute in the database, or have I misunderstood what
slapo-rwm can do?

> Applications, of course, may or may not use userPassword to verify
> application user passwords.  See the documentation for particular
> applications to see what their capabilities are.

Of course. In this case I'd like to use the PADL pam_ldap/nss_ldap,
to authenticate users in a Linux environment. pam_ldap authenticates
by doing a bind, so the most ideal solution would be if I could
configure slapd to verify the directory user's password against
another attribute than userPassword.

Hmm.. it might be possible to configure nss_ldap to provide a shadow
map with info from OpenLDAP. I'll have to look into that. Still, a
solution where it binds to the slapd the normal way is probably
preferrably. For example, I'd like to use the password policy
overlays.

Is there a way to translate an attribute name on a master slapd to
another attribute name on a replica? Or can it perhaps be done using
LDAP Sync replication?

Btw, I have to admit I'm a bit confused by this "LDAP Sync
Replication" compared to "slurpd replication". I understand how the
latter works, and I think I understand how the former works, but what
are the advantages/disadvantages of the two models? What different
problems do they solve?

Thanks,
\EF
-- 
Erik Forsberg                 http://www.lysator.liu.se/~forsberg/
GPG/PGP Key: 1024D/0BAC89D9