[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Double passwords in accounts



Nick Milas writes:
> Based on the fact that the userPassword attribute is NOT single-valued 
> in the schema definition, I was wondering whether there are cases where 
> we could use a double-password approach or if doing that would just 
> cause a mess.

Sure.  For example, when you change an entry's password, you may want a
grace period where both passwords are accepted.  In particular if you
have a service which Binds with its own DN and password, and you don't
want it to fail while you are changing the passwords at both ends (in
the service and in LDAP).  You'll have to remember removing the old
password yourself though, I don't think OpenLDAP has anything which can
remember it for you.  Unless the ppolicy overlay can be used for that.

On the other hand,

> For example, could we store both a clear-text password (to be used e.g. 
> in DIGEST authentication) AND an encrypted (SSHA or MD5) one for 
> standard use?

Why?  The encryption buys you no security when the cleartext password
is also available in the same attribute.

OTOH - userPassword is for Simple Bind, while DIGEST means SASL Bind.
SASL uses its own subsystems.  It can be configured to use passwords
from LDAP but need not be.  See the Adming Guide at www.openldap.org.
I don't know SASL, but I expect it can take the password from some
other attribute than userPassword.

-- 
Hallvard