> 2008/5/6 Terry Gardner <[EMAIL PROTECTED]>:
> According to RFC4519, 'userPassword' is a multi-valued attribute.

Thanks for pointing this out. If I understand correctly, an entry may
have multipe uid and userPassword. However it seems that all the
passwords play the same role. Thus in my case a user could log in the
ssh server using its SVN password. Am I right ?

I don't know how the multiples uid are handled

Here is the revelant part of RFC4519:
> 2.39. 'uid'
>
> The 'uid' ('userid' in RFC 1274) attribute type contains computer
> system login names associated with the object. Each name is one
> value of this multi-valued attribute.
> (Source: RFC 2798 [RFC2798] and RFC 1274 [RFC1274])
>
> ( 0.9.2342.19200300.100.1.1 NAME 'uid'
> EQUALITY caseIgnoreMatch
> SUBSTR caseIgnoreSubstringsMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
>
> 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
> [RFC4517].
>
> Examples: "s9709015", "admin", and "Administrator".

> 2.41. 'userPassword'
>
> The 'userPassword' attribute contains octet strings that are known
> only to the user and the system to which the user has access. Each
> string is one value of this multi-valued attribute.
>
> The application SHOULD prepare textual strings used as passwords by
> transcoding them to Unicode, applying SASLprep [RFC4013], and
> encoding as UTF-8. The determination of whether a password is
> textual is a local client matter.
> (Source: X.509 [X.509])
>
> ( 2.5.4.35 NAME 'userPassword'
> EQUALITY octetStringMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
>
> 1.3.6.1.4.1.1466.115.121.1.40 refers to the Octet String syntax
> [RFC4517].
>
> Passwords are stored using an Octet String syntax and are not
> encrypted. Transfer of cleartext passwords is strongly discouraged
> where the underlying transport service cannot guarantee
> confidentiality and may result in disclosure of the password to
> unauthorized parties.
>
> An example of a need for multiple values in the 'userPassword'
> attribute is an environment where every month the user is expected to
>
> use a different password generated by some automated system. During
> transitional periods, like the last and first day of the periods, it
> may be necessary to allow two passwords for the two consecutive
> periods to be valid in the system.
>

---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

Reply via email to