Hello,
Adrian Overbury wrote: [...]
Now, I created the attribute tempPassword, and made it SUP userPassword, but it doesn't seem to have inherited any of userPassword's functionality, like the ability to hash the entered string with a given scheme (like if I entered {SSHA}password I'd end up with a SHA-1 hashed password) and automatic encoding to base64.
The functionality you mention is - not part of the LDAP server but part of a client exporting to LDIF (base64 encoding) - specific to the userPassword attribute, because the extended operation "password modify" only operates on the Attribute named "userPassword". I don't know of any functionality in the LDAP server that hashes the Password when you just modify the userPassword attribute normally.
I know (or, at least, I *think* that userPassword is a multi-valued attribute, so I could just enter another userPassword and let it auth off that, but that defeats the purpose, [...]
Why? It sounds like just what you want.
All of it relies on me being able to create a new password attribute and auth off it, though, so, anyone able to help?
I am not aware of another attribute that OpenLDAP could use for authentication via simple bind.
Since userPassword is a multi-valued attribute, you could simply add a password just before an operator wants to start a "login as user"-session and remove it after a timeout. You'd just have to save the Password string you set in your "service-management software", so you can delete the right one after the operator session ends.
bye Christian