On Thu, Jul 18, 2019 at 08:32:22PM +0100, Howard Chu wrote:
it doesn't support setting the password using the PasswordModify exop. That seems to imply that users are required to generate their passwords using some other tool, and set them using a normal Modify op, but doing so is deprecated.
That is correct.
Password changes should only be done using the PasswordModify exop.
I wasn't sure how to do this. My implementation is essentially two password checks in one, so I need a way to tell the data apart. For the check functions this was easy as the OTP key is stored base32 encoded, and the DELIM character should not appear in a base32 string. For actual password input, I don't think I can make that assumption.
I think the safest way to hash this scheme would be to have two separate input prompts, but I didn't see in the existing code a provision for this. It's possible I wasn't looking in the right places. If you have any suggestions I'd be happy to try writing that code.