On 27/09/11 18:59 +0200, Michael Ströder wrote:
HI!
We have {SSHA}-hashed passwords in attribute userPassword.
One application sends CompareRequests with the clear-text password instead of a BindRequest to validate the password which obviously fails. The application vendor claims it is too much effort to change that behaviour in the application. I guess this can only be solved in slapd by a custom overlay intercepting the CompareRequest (which is effort too).
Or is there any other solution I don't know of?
We had a similar problem where Sun ILOM requires userPassword to be in a Solaris compatible crypt format. We created a custom attribute, called cryptedUserPassword, and populate it for the users that need access to the device. Then we make use of slapd-relay and slapo-rwm, to present cryptedUserPassword as userPassword when our relayed tree (dc=example,dc=net,dc=ilom) is queried.
Our slapd.conf config looks like:
database relay suffix "dc=example,dc=net,dc=ilom" overlay rwm rwm-rewriteEngine on suffixmassage "dc=example,dc=net" rwm-rewriteContext default rwm-map attribute userPassword cryptedUserPassword rwm-map attribute cryptedUserPassword userPassword rwm-rewriteContext searchFilter rwm-rewriteRule ".*uid=(.*)))" "(&(uid=$1)(someAccessAttr=ilom))"