Marcin Giedz writes:
Hallvard B Furuseth wrote:
Not sure what "with respect to previous password hash" means, if not EXOP_MODIFY_PASSWD.
I mean. If userPassword uses md5 hash change it to new one but keep/use the same hash.
Oh. Just grab the old one, ignoring any access control rules, and see if it starts with '{something}'. Note that if it does but slapd doesn't know a hash method with that name, it may be because it comes from some other installation which does recognize it. In that case you can either fail or use some hash method which you or slapd do know.
That's exactly what it does. You just need an overlay in addition, to spawn updates to other entires. And if you want to catch add and modify operations too, the overlay can do that as well.
So as I understand:
- in my overlay check if EXOP_MODIFY is trigged if so let him do the job
And you can't do it with plain modify operations if the target uses a different hash than the modify operation does, since you can't decode the modify operation's hash.
- then back to my overlay and "search and modify" the other entries of
userPassword, right?
Yes. Unless you want to search and replace first and modify the requested entry afterwards, so any failure in the other entries will leave the requested entry unmodified. Either way has it advantages.
In case of BDB, maybe you can also get a transaction where you can rollback your changes if any change fail. I don't know.
BTW, remember that the userPassword attribute is multi-valued. One can match the submitted passwords, others not. Or several can match it, but with different hash methods.
Also, you may find user entries without userPassword. Do you add one, or not?