Rob Tanner wrote: > When I'm adding an attribute to my private schema and I'm not sure of > the syntax OID, I look for a similar attribute in the schema included in > the openLDAP distribution. The problem is that 'userPassword' is > apparently defined by the software since I can't find it in any of the > schema. If I encode the 'tempPassword' exactly the same as I encode > 'userPassword', I'm guessing that what I'm writing is basically an octet > string. Am I right?
1. Use a decent schema browser to examine the whole subschema subentry. This will also contain schema descriptions hard-coded in slapd (or its overlays). 2. userPassword is declared with OctetString (OID 1.3.6.1.4.1.1466.115.121.1.40). However if in your case you expect the password to be in clear-text and only contain strings you could type on a keyboard then DirectoryString (OID 1.3.6.1.4.1.1466.115.121.1.15) might be more appropriate. >> Also, I note that while you can define an attribute that's named >> tempPassword, it will not be used by OpenLDAP for authentication. >> 'userPassword' is a special case. Similar behaviour could be achieved by >> writing an overlay, though, if that's what you want. > > That's its the entire purpose. A number of systems and services > authenticate to the ldap server. When users fail to take note of the > expiry notices they're getting in their email and allow their password > to expire and, O by the way, don’t remember their own answers to the > security questions, the support desk will assign them a temporary > password that the password manager (a webapp) knows how to read. IMO that's bad practice. When doing a password reset you should set a random value in userPassword together with password expiration attribute (slapo-ppolicy). Ciao, Michael.
