Michael Ströder wrote: > On 3/12/21 5:20 PM, Benjamin Renard wrote: >> In one of my OpenLDAP installation, I'm start using Ppolicy overlay and >> it's doesn't allow me to store multiple passwords in userPassword >> attribute as possible in regular situation. > > What's your use-case? Up to now 100% of the concepts I saw relying on > multiple user password were seriously flawed. > >> I'm looking for a solution >> that allowing me to keep using Ppolicy and have possibility to store an >> alternative user password (usually used by admins).
As Michael correctly points out, this is an incredibly bad approach. Also, in LDAP it is fundamentally wrong. Instead, you should create dedicated admin accounts, and if you want to let them impersonate other specific users, give them AuthzTo privileges for use with proxy authorization. > > Ouch! > > Many security regulations forbid especially this admin impersonation to > arbitrary user accounts. And there are many good reasons for that. > > Ciao, Michael. > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
