5 Feb
2009
5 Feb
'09
3:37 a.m.
Brett Maxfield wrote:
Maybe generate a random challenge, store it in ldap as an additional hashed password value maybe with a special {challenge} hash type as a marker, assuming ldap will try *all* passwords when logging in.
Implementing this with multi-valued userPassword will raise some issues when sorting out the temporary challenge-password later (either if it's used or not used by the end user). I'd go for separate LDAP entries where you can store additional expiration information.
Ciao, Michael.