[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Defining a password attributetype



Title: Re: Defining a password attributetype
Hi Jonathan,


On 9/3/10 6:35 AM, "Jonathan CLARKE" <jonathan.clarke@normation.com> wrote:

>
> The syntax defines the type of an attribute, ie what is valid data to be
> stored in it. It is obligatory in an attribute definition.
>
>>
>> The attribute will be SHA encrypted digest encoded as Base64 (same as
>> the standard userPassword attribute). Any guidance on the schema
>> definition would be most appreciated.
>
> The online OpenLDAP Admin Guide has quite a bit of good information on
> defining schemas, including common syntaxes:
>> http://www.openldap.org/doc/admin24/schema.html#Attribute%20Type%20Specificat
>> ion

When I'm adding an attribute to my private schema and I'm not sure of the syntax OID, I look for a similar attribute in the schema included in the openLDAP distribution.  The problem is that 'userPassword' is apparently defined by the software since I can't find it in any of the schema.  If I encode the 'tempPassword' exactly the same as I encode 'userPassword', I'm guessing that what I'm writing is basically an octet string.  Am I right?

>
> Also, I note that while you can define an attribute that's named
> tempPassword, it will not be used by OpenLDAP for authentication.
> 'userPassword' is a special case. Similar behaviour could be achieved by
> writing an overlay, though, if that's what you want.
>

That's its the entire purpose.  A number of systems and services authenticate to the ldap server.  When users fail to take note of the expiry notices they're getting in their email and allow their password to expire and, O by the way, don’t remember their own answers to the security questions, the support desk will assign them a temporary password that the password manager (a webapp) knows how to read.  Using the ‘tempPassword’ attribute that I’m going to create means that they will have access to nothing except the password manager until they reset the password.  And, O by the way, have to create a new set of security questions that just maybe they’ll remember the answers to 6 months down the line when they again ignore the expiry notices.

Thanks,
Rob



Rob Tanner
UNIX Services Manager
Linfield College, McMinnville Oregon