ldapext@ietf.org
[Top] [All Lists]

Re: [ldapext] [Fwd: Re: [OpenDS-users] LDAP Password Modify Extended Ope

Subject: Re: [ldapext] [Fwd: Re: [OpenDS-users] LDAP Password Modify Extended Operation]
From: Michael Ströder
Date: Mon, 14 Jul 2008 11:05:57 +0200
Howard Chu wrote:
On the flip side, using an explicitly tagged authzID has the advantage of not making the server try to guess what form of userID has been provided...

Yes, this could lead to serious issues.

As a complete aside, there seems to be a disconnect here - it appears that there ought to be a way to specify which password validation mechanism's password is being changed. E.g., it's possible for a user to have a valid directory entry with a local userPassword attribute, as well as a valid password in an external store, e.g. sasldb. (Ugly, but this used to come up frequently.) The local userPassword would be used for Simple Binds, and the sasldb would be used for SASL Binds. Similarly for SASL Binds, not all mechs will necessarily use the same password, so it may be desirable to specify which mech's password to set. (E.g., SASL/OTP)

Most times there is already a server-side mapping from authc-ID to authz-ID in form of a DN. So if the authz-ID is sent in form of a DN for userIdentity in the PasswdModifyRequestValue the server has to apply the reverse mapping to find the accompanying authc-ID for which to change the password.

Ciao, Michael.
_______________________________________________
Ldapext mailing list
Ldapext@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ldapext

<Prev in Thread] Current Thread [Next in Thread>