Re: Compare-Request on hashed userPassword

[Dan White <dwhite@olp.net>]

On 27/09/11 18:59 +0200, Michael Ströder wrote:
> HI!
>
> We have {SSHA}-hashed passwords in attribute userPassword.
>
> One application sends CompareRequests with the clear-text password instead of
> a BindRequest to validate the password which obviously fails. The application
> vendor claims it is too much effort to change that behaviour in the
> application. I guess this can only be solved in slapd by a custom overlay
> intercepting the CompareRequest (which is effort too).
>
> Or is there any other solution I don't know of?

We had a similar problem where Sun ILOM requires userPassword to be in a
Solaris compatible crypt format. We created a custom attribute, called
cryptedUserPassword, and populate it for the users that need access to the
device. Then we make use of slapd-relay and slapo-rwm, to present
cryptedUserPassword as userPassword when our relayed tree
(dc=example,dc=net,dc=ilom) is queried.

Our slapd.conf config looks like:

database                relay
suffix                  "dc=example,dc=net,dc=ilom"
overlay                 rwm
rwm-rewriteEngine       on
suffixmassage           "dc=example,dc=net"
rwm-rewriteContext      default
rwm-map                 attribute userPassword cryptedUserPassword
rwm-map                 attribute cryptedUserPassword userPassword
rwm-rewriteContext searchFilter
rwm-rewriteRule ".*uid=(.*)\)\)" "(&(uid=$1)(someAccessAttr=ilom))"

--
Dan White