tonni@hetnet.nl wrote:

I'd like to see ppolicy refuse to accept a multi-value userPassword.

Agreed, this problem is already highlighted in the current code. (See the FIXME comment in ppolicy.c around line 1556.) We just haven't decided on a proper solution yet.

It appears that the RFC3112 authPassword suffers from the same problem. If I were to design all of this today I would have made these attributes single-valued, and used attribute tags to specify the password hash mechanism. E.g., authPassword;crypt: 0123456789abcd authPassword;sha1: xxxxxxxxxxxxxx

Since the Password Policy draft *does* include provisions for applying policies to multiple password attributes, then this problem would no longer exist.

Of course now that userPassword and authPassword already exist, all the good attribute names are already gone. ;)