Multiple passwords

[Adrian Overbury <adrian@inomial.com>]

Hi,

I'm trying to make a system account in LDAP that has multiple  
passwords, one of which is time-limited.  Basically, it's your run-of- 
the-mill posix/shadowAccount object, with your common-or-garden  
userPassword attribute.  Everything works so far.  But now I want to  
add a couple of new attributes, tempPassword and  
tempPasswordTimestamp.  tempPassword will contain a long random string  
of characters hashed somehow (crypt, sha, md5, I don't care) generated  
by the service-management software my company develops.   
tempPasswordTimestamp is what one of its underlying systems will use  
to determine all tempPasswords that have expired.

Now, I created the attribute tempPassword, and made it SUP  
userPassword, but it doesn't seem to have inherited any of  
userPassword's functionality, like the ability to hash the entered  
string with a given scheme (like if I entered {SSHA}password I'd end  
up with a SHA-1 hashed password) and automatic encoding to base64.

I know (or, at least, I *think* that userPassword is a multi-valued  
attribute, so I could just enter another userPassword and let it auth  
off that, but that defeats the purpose, which is to create a secure  
password that operators in our service-management software can use to  
log in to this user's account at the push of a button, without having  
to actually *know* the user's password.  The password itself will be  
at least 20 characters long, consisting of uppercase, lowercase,  
numbers and special characters, so it'll be as secure as we can make  
it.  All of it relies on me being able to create a new password  
attribute and auth off it, though, so, anyone able to help?

Regards,

Adrian