François Beretti wrote:
Hi,
I am implementing password policy in my LDAP-based software. When
using Fedora DS I encountered several problems (or questions) :
1) when password expired, no request other than modifying its
userPassword attribute is allowed. Two requests would have been
usefull in my opinion :
* Start TLS : I want to enable TLS just before changing my password,
but :
- Start TLS is not allowed, since it is not the only allowed
modify request on userpassword
Can you do the StartTLS extended operation first,
before the bind
request, then the password modify?
- After Start TLS (when the password is not expired), it
seems
that the connection become sometimes anonymous, and needs a new bind.
I'm not
sure what you mean. Can you elaborate on this?
I thought only the Stop TLS operation must disable the
authentication
on the LDAP connection
Do you mean authentication or transport encryption?
* Password Modify Extended operation : I just thought it would be a
good idea to use it to change a password, but it is not allowed
Even if you do this
as the first operation, before the bind?
2) when changing the password using a standard ldap modify request, if
I send two modify operations in the same request, the first one to
remove the old password and the second one to add the new password, do
I need to hash the old password for it to be in the same format than
in the directory ?
No. You should not send pre-hashed passwords, you should let
the DS
hash the passwords.
3) when using the Password Modify Extended operation, then at the next
logon the server requires the user to change its password ! So I
definitly can't use this operation on a server implementing password
policy. I believe that in the Fedora DS password policy code this
operation is only seen as an administration request, not intended to
be done by a user : it is handled as a "force password" request, not a
"change password" request.
Hmm - that could be a bug in that we perhaps
do not reset the password
expiration time. It's supposed to - it goes through the same code as
regular password modify.
4) I use the Novell LDAP client API. Any call to ldap_stop_tls_s
blocks the calling thread. I don't know if it comes from the server,
the client API, or both. It is not too bad since I can just call
ldap_unbind and ldap_init instead.
François
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users