[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multiple passwords

To: Adrian Overbury <adrian@inomial.com>
Subject: Re: Multiple passwords
From: Dan White <dwhite@olp.net>
Date: Tue, 05 Feb 2008 09:44:10 -0600
Cc: openldap-software@openldap.org
In-reply-to: <B2D2D4EE-050A-4119-82B9-8BA32853BEB4@inomial.com>
References: <B2D2D4EE-050A-4119-82B9-8BA32853BEB4@inomial.com>
User-agent: Mozilla-Thunderbird 2.0.0.6 (X11/20071008)

Adrian Overbury wrote:

Hi,
I'm trying to make a system account in LDAP that has multiple passwords, one of which is time-limited. Basically, it's your run-of-the-mill posix/shadowAccount object, with your common-or-garden userPassword attribute. Everything works so far. But now I want to add a couple of new attributes, tempPassword and tempPasswordTimestamp. tempPassword will contain a long random string of characters hashed somehow (crypt, sha, md5, I don't care) generated by the service-management software my company develops. tempPasswordTimestamp is what one of its underlying systems will use to determine all tempPasswords that have expired.

Now, I created the attribute tempPassword, and made it SUP userPassword, but it doesn't seem to have inherited any of userPassword's functionality, like the ability to hash the entered string with a given scheme (like if I entered {SSHA}password I'd end up with a SHA-1 hashed password) and automatic encoding to base64.

I know (or, at least, I *think* that userPassword is a multi-valued attribute, so I could just enter another userPassword and let it auth off that, but that defeats the purpose, which is to create a secure password that operators in our service-management software can use to log in to this user's account at the push of a button, without having to actually *know* the user's password. The password itself will be at least 20 characters long, consisting of uppercase, lowercase, numbers and special characters, so it'll be as secure as we can make it. All of it relies on me being able to create a new password attribute and auth off it, though, so, anyone able to help?

What kind of access do your operators have? Are they logging in to LDAP, http, shell?

OpenLDAP itself allows you to assign SASL authorization rights so that an identity with special privileges (operator) can authenticate with their own credentials, but request authorization rights to act as another user.

See http://www.openldap.org/doc/admin24/sasl.html#SASL%20Proxy%20Authorization

- Dan

References:
- Multiple passwords
  - From: Adrian Overbury <adrian@inomial.com>

Prev by Date: issues with proxycache overlay
Next by Date: Re: large ldap server recommendation
Index(es):
- Chronological
- Thread