Rob Tanner wrote:
When I'm adding an attribute to my private schema and I'm not sure of the syntax OID, I look for a similar attribute in the schema included in the openLDAP distribution. The problem is that 'userPassword' is apparently defined by the software since I can't find it in any of the schema. If I encode the 'tempPassword' exactly the same as I encode 'userPassword', I'm guessing that what I'm writing is basically an octet string. Am I right?
1. Use a decent schema browser to examine the whole subschema subentry. This will also contain schema descriptions hard-coded in slapd (or its overlays).
2. userPassword is declared with OctetString (OID 1.3.6.1.4.1.1466.115.121.1.40). However if in your case you expect the password to be in clear-text and only contain strings you could type on a keyboard then DirectoryString (OID 1.3.6.1.4.1.1466.115.121.1.15) might be more appropriate.
Also, I note that while you can define an attribute that's named tempPassword, it will not be used by OpenLDAP for authentication. 'userPassword' is a special case. Similar behaviour could be achieved by writing an overlay, though, if that's what you want.
That's its the entire purpose. A number of systems and services authenticate to the ldap server. When users fail to take note of the expiry notices they're getting in their email and allow their password to expire and, O by the way, don’t remember their own answers to the security questions, the support desk will assign them a temporary password that the password manager (a webapp) knows how to read.
IMO that's bad practice. When doing a password reset you should set a random value in userPassword together with password expiration attribute (slapo-ppolicy).
Ciao, Michael.