[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Implementing additional passwords with limited scope / "app passwords"
- To: openldap-technical@openldap.org
- Subject: Re: Implementing additional passwords with limited scope / "app passwords"
- From: Michael Ströder <michael@stroeder.com>
- Date: Wed, 24 Apr 2019 17:48:05 +0200
- Autocrypt: addr=michael@stroeder.com; prefer-encrypt=mutual; keydata= mQENBFbdnRoBCADj0vYA4aRwKJ6AE4mf8oElLgMT/1eLNKpJ2FYBWcwj9d8dTk5/p9b8DRxy S/qQIUUZqt9xRFZwUCm0vFeQMRDeN9xzAKoRzrJifoDOacOjG1lhZTKYvVZGgUT89Ao3QeHh Q7gPzcAKNoueoR2y3FXStOYuRrbk5PlSjVAITjsotgc7PWE9mmVYpeu8a+byK/DBHKUyolOA 1UXYvDa7MbPhMtdNm8qnwtKs1Vsyk1VkErM+5cIe+zTT6WYQcmZMRjCtWGiFTzk9W6Mdlskk WRTKhKNgokTsgcy1ecaCBUZWxv/SyXgD81+rwRi9b8Px+1reg43ayxi8sV7jrI1feybbABEB AAG0J01pY2hhZWwgU3Ryw7ZkZXIgPG1pY2hhZWxAc3Ryb2VkZXIuY29tPokBNwQTAQgAIQUC Vt2dGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAH3HrjaovJOFpTCACjO773gcmJ KvzjiNpUFl/gANyaJgIq4VbMQ7VthRb1F9X6YbdJ6Z99ntyESjGFCpjofcSomr2vJDpv6ht+ lY33yo20YwsMpqe2OeId0jPybG+FtabKjgBNoAk7iqnBGUvE4t0dz0n1LQVCQR2jxyTKmcNq OYpsRZ3H+6kWwJMuVgsNZglINVZ8JgV5QuLYN5jhYz+pOuFnU11bV6nWREvzZXzebe7g7Zus 6AsWjtJ0lDvgBNzLlF3/eFrVch6Bejs0SvuFseIdZQk+4YU6Rb8xul/jDFXIfo7eTmijO3dV T5AmC1cUi8czncwpgAJnEH8vYv23RoN/aw2gSMCS2huIuQENBFbdnRoBCAC7L1cTVBVZZuM/ yxSUM5CsgGBlTD1Cr7C2ngZFsHSYXVLq6NUB8GZA2iLK96CrwnFw4/Jjz4llOjc50iVRMQKL RyFWOJAMrpPq2ew5T+Uoo524D//dwVbqkFVVuvM8NPiKIDyPGCjP+acM1D8hXwhOXgQ8Iz8Q 3/GRSYjitn9JrkF0ia2nhariznBKVu0LDffxF/hOCx45+QRR2/rYYlshfZMB7nEJX9P+hVfM CSzltz9Z8CldeUbiJvnyrISReR2XBw9oh8JkIUP0BtpIaify9A7EfzOk+W9BUnWe+YwdSUsB fJxOhSv+umyW5GMqZGFu+4oYnkzbe+1LUs1JarCtABEBAAGJAR8EGAEIAAkFAlbdnRoCGwwA CgkQB9x642qLyTjEUgf+JX6Atatl/QKe37yCj1OZYNPd3B0rPLJRF5mEmrADRXLZC9+uFeDS Wxxln040gnR6rjBHrRcvVmlTDiZY26iuL16+V+0/aZ9uyXNQSzk2cwDSiI/8gvr72Y+FN5fh cGXpeNHxHilYc9onzDhxyE76cwzqTKm4q2ULIH2u9IHQ5O86Fv6nHPYhe2fy1bhQapNwi/Xl 3G3i2WNH/w7m+1zWU1IddZOjmXzoxLT1BATwXGa0Tt5RjVb2mM1Wg3Zj6kqFkF2vvKcvrwj0 q0Ap5uyfN5m0uWzQMCMoaV9HQf7f5MkS1lnwBqDgnojjVAieX5uk7olUiRuPKHMfhvXulYP8 AA==
- In-reply-to: <1556091322@msgid.manchmal.in-ulm.de>
- Openpgp: id=43C8730E84A20E560722806C07DC7AE36A8BC938
- References: <1556091322@msgid.manchmal.in-ulm.de>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
On 4/24/19 9:37 AM, Christoph Biedl wrote:
> looking for a way to implement alternative passwords for a given object
> (i.e. account information). The tricky part, such passwords should not
> be usable in every application but e.g. for mail access only, not for
> interactive login.
It really depends on how fine-grained you need it.
It might be worth to look into OAuth2 tokens but the client and server
have to support this.
> The "restriction to an application" logic could possibly be implemented
> using an attribute I'd call "capability", but I have no clue how to
> handle the passwords.
Bear in mind that bind requests are anonymous per se and slapd does not
have authenticated information about which LDAP client application sent
the bind request. So the really tricky part is to determine in the
OpenLDAP server which application sent the bind request to authorize the
authentication.
Hint: What you can authorize is the user entry search operation sent by
the application prior to the bind request.
> Findings so far: It is possible to store more than one userPassword in
> an account object, but now I cannot see how to tell apart which of the
> ones was used for successful binding, and I reckon this is not possible
> at all in a sane way.
>
> Enhancing the schema I might store the the extra password/capabilities
> combos in separate objects. But this creates the question how to deal
> with applications that don't allow to enter the entire request string.
>
> Another idea I could think of was to have separate objects
> ("cn=john.doe", "cn=john.doe+login") - but I consider that ugly.
Those are the reasons why I'm doing something like this in
https://ae-dir.com with completely separate accounts.
If you find this ugly then I think it's unlikely you'll find a "nice"
solution.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature