[ldap] Re: multiple passwords for a user

2008-07-31 Thread Ritchie Young 
>
>
> I guess this is the job of an IAM solution, do you know any good
> open-source one ?
>
> Can I suggest my project RubySync (http://rubysync.org) as a possibility.
It's really a Ruby framework for writing synchronization scripts but I'm
fairly confident that you don't need to be a Ruby programmer to use it (only
to extend it).

Regards
Ritchie

-- 
Ritchie Young
http://rubysync.org


---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-06-08 Thread Gavin Henry 

Gavin Henry wrote:

Dustin Puryear wrote:
I have yet to see a good, working open source IAM solution. 
Unfortunately.


We work with commercial IAM solutions (e.g., Sun, CA) all the time 
with our clients, but for small installations it would be VERY nice to 
have a viable open source alternative.




Why for only small installations?



Ignore me. I missed the tail end of the thread.

--
Kind Regards,

Gavin Henry.


T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E [EMAIL PROTECTED]

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/

Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.

---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-06-08 Thread Gavin Henry 

Dustin Puryear wrote:

I have yet to see a good, working open source IAM solution. Unfortunately.

We work with commercial IAM solutions (e.g., Sun, CA) all the time with 
our clients, but for small installations it would be VERY nice to have a 
viable open source alternative.




Why for only small installations?

--
Kind Regards,

Gavin Henry.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E [EMAIL PROTECTED]

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/

Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.

---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-06-05 Thread Luca Scamoni 

Dustin Puryear ha scritto:
I have yet to see a good, working open source IAM solution. 
Unfortunately.


We work with commercial IAM solutions (e.g., Sun, CA) all the time 
with our clients, but for small installations it would be VERY nice to 
have a viable open source alternative.
We developed one some years ago. Based upon OpenLDAP, 
provisioning/deprovisioning against any LDAPv3 compliant server (even AD)

It's open, it works but... hey! it's only in italian! too bad... ;-)
http://rap3.sys-net.it



Ing. Luca Scamoni
Responsabile Ricerca e Sviluppo

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---
Office:  +39 0382 573859 (137)
Mobile:  +39 347 1014425
Email:   [EMAIL PROTECTED]
---


---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-06-05 Thread Adam Tauno Williams 
> > I have yet to see a good, working open source IAM solution. Unfortunately.
> I don't think there's enough critical mass in the plumbing yet. Given all the 
> projects reinventing the wheel (OpenDS etc...) instead of enhancing what 
> already exists, the already-rare open source expertise in this technology is 
> just spread too thin.

This happens allot;  one almost expects OpenLDAP to drop BDB and decide
to built their own storage backend... :)  That is meant
as humor!

Anyway, saying things like "next generation directory service" irritates
me.  So OpenLDAP, FDS, etc... are "last generation" or "previous
generation" or ...?  What makes something like OpenDS "next generation"?
I'd wager anything that as far as scalability is concerned OpenLDAP will
leave it choking on dust.

> > We work with commercial IAM solutions (e.g., Sun, CA) all the time with
> > our clients, but for small installations it would be VERY nice to have a
> > viable open source alternative.
> That almost doesn't make sense to me. IAM has tended to mean big cumbersome 
> shelfware sold to large enterprises. In small installations the problem 
> really 
> isn't big enough, and sysadmins aren't desparate enough yet. It might be 
> nice, 
> but usually in a small installation you can just attack the problem directly 
> by consolidating accounts, so you don't need a management system to track 
> multiple accounts per user.

I work for what I guess would be a medium sized organization (~500
employees).  We have lots of issues because we are too big and complex
for the SOHO kinds of solutions but not big enough for the "enterprise"
solutions (seems to mean >10,000 users;  which is a *big* gap between
small and enterprise).  Using Open Source, which we do for most of our
solutions does chafe sometimes.  On the other hand the admins I know at
"enterprise" institutions constantly joke about having various "high
end" packages "on the shelf".   I've also been to various vendor
presentations and dog-n-pony shows for some of the high-end solutions
and I always walk away thinking: "Ok, your big. But does it *have* to be
*that* complicated?  Isn't allot of this software just trying to
engineer around bad [or sloppy] policies and practices?"

Personally I'm looking forward to, or hoping might be more accurate,
that Samba4 arrives someday and front-ends OpenLDAP with its Active
Directory compatibility.  That will provide allot of tools and
management functionality Open Source just doesn't currently have.  Of
course that isn't strictly "identity management" but it will certainly
help.


---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-06-05 Thread Michael Ströder 

Howard Chu wrote:



From: Dustin Puryear<[EMAIL PROTECTED]>
We work with commercial IAM solutions (e.g., Sun, CA) all the time with
our clients, but for small installations it would be VERY nice to have a
viable open source alternative.


That almost doesn't make sense to me. IAM has tended to mean big 
cumbersome shelfware sold to large enterprises. In small installations 
the problem really isn't big enough, and sysadmins aren't desparate 
enough yet. It might be nice, but usually in a small installation you 
can just attack the problem directly by consolidating accounts, so you 
don't need a management system to track multiple accounts per user.


I'm very sceptical regrarding such products. I think they all fall short 
in some regard and the same issues like with meta-directory products arise:
Even in large enterprises IAM systems do not really fit the business 
processes. Yeah, management likes to buy off-the-shelf products. But 
still a big customizing effort leading to a project budget nearly as 
high as a self-implemented solution is reality. And even worse although 
the customizing is indeed programming but it's most times not managed 
like software development because implementors have the attitude that 
it's still only configuration.


You can burn much money in these type of projects...

Ciao, Michael.

---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-06-04 Thread Howard Chu 



From: Dustin Puryear<[EMAIL PROTECTED]>
Date: Wed, 04 Jun 2008 11:29:00 -0500



I have yet to see a good, working open source IAM solution. Unfortunately.


I don't think there's enough critical mass in the plumbing yet. Given all the 
projects reinventing the wheel (OpenDS etc...) instead of enhancing what 
already exists, the already-rare open source expertise in this technology is 
just spread too thin.



We work with commercial IAM solutions (e.g., Sun, CA) all the time with
our clients, but for small installations it would be VERY nice to have a
viable open source alternative.


That almost doesn't make sense to me. IAM has tended to mean big cumbersome 
shelfware sold to large enterprises. In small installations the problem really 
isn't big enough, and sysadmins aren't desparate enough yet. It might be nice, 
but usually in a small installation you can just attack the problem directly 
by consolidating accounts, so you don't need a management system to track 
multiple accounts per user.



--
Dustin Puryear
President and Sr. Consultant
Puryear Information Technology, LLC
225-706-8414 x112
http://www.puryear-it.com

Author, "Best Practices for Managing Linux and UNIX Servers"
http://www.puryear-it.com/pubs/linux-unix-best-practices/


Sébastien Barthélemy wrote:

Hello

thank you for this detailed explanation.


Keep in mind that you now need to provision TWO accounts, one as the primary
and one for SVN only. Assuming you have an IAM solution in place (even if
it's homebrewed), this should be a no-brainer. (Yes, we do IAM.)

No, I don't have any IAM solution, I even don't use LDAP for anything
other than testing now. Indeed, I was looking at ldap as a way to
centralize the user management, but I found no good solution. It seems
more and more obvious that the good way to handle this is to store
data in a database and use it to feed the ldap directory.

I guess this is the job of an IAM solution, do you know any good
open-source one ?



--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-06-04 Thread Dustin Puryear 

I have yet to see a good, working open source IAM solution. Unfortunately.

We work with commercial IAM solutions (e.g., Sun, CA) all the time with 
our clients, but for small installations it would be VERY nice to have a 
viable open source alternative.


--
Dustin Puryear
President and Sr. Consultant
Puryear Information Technology, LLC
225-706-8414 x112
http://www.puryear-it.com

Author, "Best Practices for Managing Linux and UNIX Servers"
  http://www.puryear-it.com/pubs/linux-unix-best-practices/


Sébastien Barthélemy wrote:

Hello

thank you for this detailed explanation.


Keep in mind that you now need to provision TWO accounts, one as the primary
and one for SVN only. Assuming you have an IAM solution in place (even if
it's homebrewed), this should be a no-brainer. (Yes, we do IAM.)


No, I don't have any IAM solution, I even don't use LDAP for anything
other than testing now. Indeed, I was looking at ldap as a way to
centralize the user management, but I found no good solution. It seems
more and more obvious that the good way to handle this is to store
data in a database and use it to feed the ldap directory.

I guess this is the job of an IAM solution, do you know any good
open-source one ?

---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.


---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-06-02 Thread Sébastien Barthélemy 
Hello

thank you for this detailed explanation.

> Keep in mind that you now need to provision TWO accounts, one as the primary
> and one for SVN only. Assuming you have an IAM solution in place (even if
> it's homebrewed), this should be a no-brainer. (Yes, we do IAM.)

No, I don't have any IAM solution, I even don't use LDAP for anything
other than testing now. Indeed, I was looking at ldap as a way to
centralize the user management, but I found no good solution. It seems
more and more obvious that the good way to handle this is to store
data in a database and use it to feed the ldap directory.

I guess this is the job of an IAM solution, do you know any good
open-source one ?

---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-05-30 Thread Dustin Puryear 

Re: Second password for SVN users

This is sometimes done with email accounts as well, since clear-text 
POP3 and IMAPv4 are often used without SSL encryption. So you don't want 
people using their domain or SSH logins over POP3 at a coffee shop.


Generally, you would solve this with a second, service-specific account. 
Let's say you have an account container like so:


ou=Users,ou=Accounts,

Under ou=Users, you have your typical inetOrgPerson/posixAccount entries 
which are used for UNIX authentication and whatever else.


If you feel that these accounts may be exposed to some danger by 
services such as SVN, then you would create another container:


ou=SVN-Users,ou=Accounts,

And define those user entries differently:

dn: uid=dustin,ou=SVN-Users,ou=Accounts,
objectClass: ...
objectClass: posixAccount
objectClass: secondaryPosixAccount
uid: dustin
userPassword: blah

And to find them your SVN would use a filter such as:

(&(objectClass=secondaryPosixAccount)(uid=dustin))

You have some risk here because services, like pam_ldap, may reject 
logins if you don't configure them properly since they may do a simple 
filter like so:


(&(objectClass=posixAccount)(uid=dustin))

This will return two entries, so you won't authn. In that case you can 
tweak your AUX secondaryPosixAccount objectClass so that this stops 
being an issue:


dn: svnUid=dustin,ou=SVN-Users,ou=Accounts,
objectClass: ...
objectClass: posixAccount
objectClass: secondaryPosixAccount
svnUid: dustin
userPassword: blah

That way the only filter that will return this entry would be:

(&(objectClass=secondaryPosixAccount)(svnUid=dustin))

pam_ldap and others won't die because:

(&(objectClass=posixAccount)(uid=dustin))

Would never return this entry.

Hmm, thinking on this further, if you were to extend posixAccount like 
this you would still have the problem that uid is required, so you have 
to either a) use another objectClass to extend like 
simpleSecurityObject, or b) build your uid for secondaryPosixAccount in 
a way that breaks the match, like so:


dn: svnUid=dustin,ou=SVN-Users,ou=Accounts,
objectClass: ...
objectClass: posixAccount
objectClass: secondaryPosixAccount
uid: dustin-secondaryPosixAccount
svnUid: dustin
userPassword: blah

Option (a) is cleaner, but you could do (b). Regardless, this route 
probably provides the most viable solution for you.


Keep in mind that you now need to provision TWO accounts, one as the 
primary and one for SVN only. Assuming you have an IAM solution in place 
(even if it's homebrewed), this should be a no-brainer. (Yes, we do IAM.)


I hope this helps. :)

--
Dustin Puryear
President and Sr. Consultant
Puryear Information Technology, LLC
225-706-8414 x112
http://www.puryear-it.com

Author, "Best Practices for Managing Linux and UNIX Servers"
  http://www.puryear-it.com/pubs/linux-unix-best-practices/


Sébastien Barthélemy wrote:


Hello everybody,

I'm wondering if it is possible for a user to have multiple password 
stored in ldap.


For instance, I store accounts for my users in ldap and  want
them to access
 - unix servers using ssh
 - svn repositories (using apache/webdav)

For unix servers and ssh, no problem, one could bind ldap with pam and 
this use case is well documented.


Apache (and thus svn) also can be bound to pam. However, many svn client 
store user password in clear in some text file, which a serious security 
risk for my unix server. Thus I would prefer to have a separate password 
for svn.



Is it possible in a standard way ? (How) can I store an additional in my 
ldap schema ?


Is such use case documented somewhere ?


Thanks a lot for any help,

Sebastien Barthelemy.

PS: I'm a beginner here, all I know about ldap is the book LDAP system
administration, so please excuse me if my question is naive, and don't
hesitate to redirect me to the good documentation.

--
Sébastien Barthélemy

--- You are currently subscribed to [EMAIL PROTECTED] as: 
[EMAIL PROTECTED] To unsubscribe send email to 
[EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the 
message.


---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-05-06 Thread Michael Ströder 

Sébastien Barthélemy wrote:
2008/5/6 [EMAIL PROTECTED]  
<[EMAIL PROTECTED] >:


I did not try this myself (I had some problems getting the whole
kerberos+ldap etc etc authentication working at all with all kind of
clients), and I don't know if all svn clients are kerberos capable.

I had problems with various svn clients when I was using digest 
authentification. Now I use basic authentification + SSL which seems 
widely supported, and  I would prefer to stick with it, if possible.


Both mechanisms also not solve your problem with passwords being stored 
in clear at the SVN client-side. I guess there's no effective technical 
solution to get rid of this problem. Even with SSO solutions like 
Kerberos or CAS people can shoot themselves in the foot and circumvent 
your security policy. You have to make your users aware of the issue and 
then provide an appropriate technical solution.


Ciao, Michael.

---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-05-06 Thread Michael Ströder 

Sébastien Barthélemy wrote:

2008/5/6 Terry Gardner <[EMAIL PROTECTED]>:
According to RFC4519, 'userPassword' is a multi-valued attribute.


Thanks for pointing this out. If I understand correctly, an entry may
have multipe uid and userPassword. However it seems that all the
passwords play the same role. Thus in my case a user could log in the
ssh server using its SVN password. Am I right ?


Yes. Multi-valued userPassword attribute does not solve your issue of 
passwords being stored in clear at the SVN client side. It generates 
more problems though (e.g. with password change).


Ciao, Michael.

---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-05-06 Thread Sébastien Barthélemy 
> 2008/5/6 Terry Gardner <[EMAIL PROTECTED]>:
> According to RFC4519, 'userPassword' is a multi-valued attribute.

Thanks for pointing this out. If I understand correctly, an entry may
have multipe uid and userPassword. However it seems that all the
passwords play the same role. Thus in my case a user could log in the
ssh server using its SVN password. Am I right ?

I don't know how the multiples uid are handled

Here is the revelant part of RFC4519:
> 2.39. 'uid'
>
> The 'uid' ('userid' in RFC 1274) attribute type contains computer
> system login names associated with the object. Each name is one
> value of this multi-valued attribute.
> (Source: RFC 2798 [RFC2798] and RFC 1274 [RFC1274])
>
> ( 0.9.2342.19200300.100.1.1 NAME 'uid'
> EQUALITY caseIgnoreMatch
> SUBSTR caseIgnoreSubstringsMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
>
> 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
> [RFC4517].
>
> Examples: "s9709015", "admin", and "Administrator".

> 2.41. 'userPassword'
>
> The 'userPassword' attribute contains octet strings that are known
> only to the user and the system to which the user has access. Each
> string is one value of this multi-valued attribute.
>
> The application SHOULD prepare textual strings used as passwords by
> transcoding them to Unicode, applying SASLprep [RFC4013], and
> encoding as UTF-8. The determination of whether a password is
> textual is a local client matter.
> (Source: X.509 [X.509])
>
> ( 2.5.4.35 NAME 'userPassword'
> EQUALITY octetStringMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
>
> 1.3.6.1.4.1.1466.115.121.1.40 refers to the Octet String syntax
> [RFC4517].
>
> Passwords are stored using an Octet String syntax and are not
> encrypted. Transfer of cleartext passwords is strongly discouraged
> where the underlying transport service cannot guarantee
> confidentiality and may result in disclosure of the password to
> unauthorized parties.
>
> An example of a need for multiple values in the 'userPassword'
> attribute is an environment where every month the user is expected to
>
> use a different password generated by some automated system. During
> transitional periods, like the last and first day of the periods, it
> may be necessary to allow two passwords for the two consecutive
> periods to be valid in the system.
>

---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-05-06 Thread Sébastien Barthélemy 
2008/5/6 [EMAIL PROTECTED] <[EMAIL PROTECTED]>:

> I did not try this myself (I had some problems getting the whole
> kerberos+ldap etc etc authentication working at all with all kind of
> clients), and I don't know if all svn clients are kerberos capable.


I had problems with various svn clients when I was using digest
authentification. Now I use basic authentification + SSL which seems widely
supported, and  I would prefer to stick with it, if possible.

Thanks for your suggestion though, I did not though about kerberos myself at
all.


---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-05-06 Thread Terry Gardner 

According to RFC4519, 'userPassword' is a multi-valued attribute.

On May 6, 2008, at 6:22 AM, Sébastien Barthélemy wrote:



Hello everybody,

I'm wondering if it is possible for a user to have multiple password  
stored in ldap.


For instance, I store accounts for my users in ldap and  want
them to access
 - unix servers using ssh
 - svn repositories (using apache/webdav)

For unix servers and ssh, no problem, one could bind ldap with pam  
and this use case is well documented.


Apache (and thus svn) also can be bound to pam. However, many svn  
client store user password in clear in some text file, which a  
serious security risk for my unix server. Thus I would prefer to  
have a separate password for svn.



Is it possible in a standard way ? (How) can I store an additional  
in my ldap schema ?


Is such use case documented somewhere ?


Thanks a lot for any help,

Sebastien Barthelemy.

PS: I'm a beginner here, all I know about ldap is the book LDAP system
administration, so please excuse me if my question is naive, and don't
hesitate to redirect me to the good documentation.

--
Sébastien Barthélemy

--- You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED] 
] To unsubscribe send email to [EMAIL PROTECTED] with the word  
UNSUBSCRIBE as the SUBJECT of the message.


"Sometime they'll give a war and nobody will come." - Carl Sandberg





---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

[ldap] Re: multiple passwords for a user

2008-05-06 Thread [EMAIL PROTECTED] 

Hello,

You could also consider Kerberos authentication. Then svn clients then 
do not have to store a local password and as a bonus you get a single 
signon. The svn clients uses the kerberos ticket which is created when 
logging in to the kerberos server.


I did not try this myself (I had some problems getting the whole 
kerberos+ldap etc etc authentication working at all with all kind of 
clients), and I don't know if all svn clients are kerberos capable.


I found this URL for a working unix svn client: 
https://svn.cse.ucdavis.edu/trac/UCDPloneSkin/wiki/UsingKerberosToAccessSvn
and this one for a not working tortoise client: 
http://svn.haxx.se/users/archive-2006-08/1224.shtml


succes, Wessel


Sébastien Barthélemy wrote:


Hello everybody,

I'm wondering if it is possible for a user to have multiple password 
stored in ldap.


For instance, I store accounts for my users in ldap and  want
them to access
 - unix servers using ssh
 - svn repositories (using apache/webdav)

For unix servers and ssh, no problem, one could bind ldap with pam and 
this use case is well documented.


Apache (and thus svn) also can be bound to pam. However, many svn 
client store user password in clear in some text file, which a serious 
security risk for my unix server. Thus I would prefer to have a 
separate password for svn.



Is it possible in a standard way ? (How) can I store an additional in 
my ldap schema ?


Is such use case documented somewhere ?


Thanks a lot for any help,

Sebastien Barthelemy.

PS: I'm a beginner here, all I know about ldap is the book LDAP system
administration, so please excuse me if my question is naive, and don't
hesitate to redirect me to the good documentation.

--
Sébastien Barthélemy

--- You are currently subscribed to [EMAIL PROTECTED] as: 
[EMAIL PROTECTED] To unsubscribe send email to 
[EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the 
message. 



---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.