Re: Defining a password attributetype

[Jonathan CLARKE <jonathan.clarke@normation.com>]

Hi,

Le 02/09/2010 23:51, Rob Tanner a écrit :
> Hi,
>
> I need to define a secondary password attribute and I’m not sure what to
> enter in the schema. Is the syntax oid exclusively for searching and
> therefore, can I omit it (I’m not going to be searching on the
> password)? Or is the synoid also used for defining how the attribute is
> stored?

The syntax defines the type of an attribute, ie what is valid data to be 
stored in it. It is obligatory in an attribute definition.

The 'EQUALITY', 'ORDERING' and 'SUBSTR' rules define which types of 
searches can be performed on the attribute. If you don't want to allow 
searches with a filter like (tempPassword=JHJDSQAJREXNR==) then don't 
include an EQUALITY rule.

> So far, what I have is:
>
> attributetype ( 1.3.6.1.4.1.6459.10.2.213
> NAME 'tempPassword'
> DESC 'Temporary password used for resets only'
> EQUALITY ??
> SYNTAX ??
> SINGLE-VALUE )
>
>
> The attribute will be SHA encrypted digest encoded as Base64 (same as
> the standard userPassword attribute). Any guidance on the schema
> definition would be most appreciated.

The online OpenLDAP Admin Guide has quite a bit of good information on 
defining schemas, including common syntaxes:
> http://www.openldap.org/doc/admin24/schema.html#Attribute%20Type%20Specification

Also, I note that while you can define an attribute that's named 
tempPassword, it will not be used by OpenLDAP for authentication. 
'userPassword' is a special case. Similar behaviour could be achieved by 
writing an overlay, though, if that's what you want.

Jonathan
--
==========================================
Jonathan CLARKE
------------------------------------------
Normation
44 rue Cauchy, 94110 Arcueil, France
------------------------------------------
Telephone:  +33 (0)1 83 62 26 96
------------------------------------------
Web:        http://www.normation.com/
==========================================