On 27/09/11 18:59 +0200, Michael Ströder wrote:
HI!We have {SSHA}-hashed passwords in attribute userPassword. One application sends CompareRequests with the clear-text password instead of a BindRequest to validate the password which obviously fails. The application vendor claims it is too much effort to change that behaviour in the application. I guess this can only be solved in slapd by a custom overlay intercepting the CompareRequest (which is effort too). Or is there any other solution I don't know of?
We had a similar problem where Sun ILOM requires userPassword to be in a Solaris compatible crypt format. We created a custom attribute, called cryptedUserPassword, and populate it for the users that need access to the device. Then we make use of slapd-relay and slapo-rwm, to present cryptedUserPassword as userPassword when our relayed tree (dc=example,dc=net,dc=ilom) is queried. Our slapd.conf config looks like: database relay suffix "dc=example,dc=net,dc=ilom" overlay rwm rwm-rewriteEngine on suffixmassage "dc=example,dc=net" rwm-rewriteContext default rwm-map attribute userPassword cryptedUserPassword rwm-map attribute cryptedUserPassword userPassword rwm-rewriteContext searchFilter rwm-rewriteRule ".*uid=(.*)\)\)" "(&(uid=$1)(someAccessAttr=ilom))" -- Dan White
