On 3/12/21 6:23 PM, Benjamin Renard wrote:
Hi,
Le 12/03/2021 à 17:53, Michael Ströder a écrit :
On 3/12/21 5:20 PM, Benjamin Renard wrote:
In one of my OpenLDAP installation, I'm start using Ppolicy overlay and it's doesn't allow me to store multiple passwords in userPassword attribute as possible in regular situation.
What's your use-case? Up to now 100% of the concepts I saw relying on multiple user password were seriously flawed.
I'm looking for a solution that allowing me to keep using Ppolicy and have possibility to store an alternative user password (usually used by admins).
Ouch!
Many security regulations forbid especially this admin impersonation to arbitrary user accounts. And there are many good reasons for that.
This is my use-case and I'm agree with you that its not a regular situation. I have any responsibility of this choice and I just try to answer to this historical use-case in a Ppolicy context. I'm seeing any technical reason to impossibly achieve this requirement.
Ask yourself: How should password policy, e.g. correct password expiry, be applied to multiple, independently set userPassword values? You could of course hack your own slapo-ppolicy which does that with additional meta data. Good luck.
But I strongly recommend to get rid of this flawed use-case now by designing a more secure support process.
Ciao, Michael.