On Fri, Mar 25, 2022 at 06:25:23PM +0100, Michael Ströder wrote: > Or you're verifying the password hash and password policy yourself. This > would require that the LDAP client has read access to password hashes. > > Or in case the server is a recent OpenLDAP slapd then you might want to look > into using the Verify Credentials extended operation.
AFAIK you don't even need to do that, the behera ppolicy draft suggests[0] Compares should be processed in a very similar way without destroying connection state and ppolicy implements that. Not sure about the ACL requirements but that should be easy to figure out. [0]. https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-11#section-9.4 -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
