28 Mar
2022
28 Mar
'22
1:55 a.m.
On Fri, Mar 25, 2022 at 06:25:23PM +0100, Michael Ströder wrote:
Or you're verifying the password hash and password policy yourself. This would require that the LDAP client has read access to password hashes.
Or in case the server is a recent OpenLDAP slapd then you might want to look into using the Verify Credentials extended operation.
AFAIK you don't even need to do that, the behera ppolicy draft suggests[0] Compares should be processed in a very similar way without destroying connection state and ppolicy implements that. Not sure about the ACL requirements but that should be easy to figure out.
[0]. https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-11#s...
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP