Thanks Dan. I will give this a try.


-Mike

> Date: Fri, 2 May 2014 09:05:32 -0500
> From: dwhite@olp.net
> To: mlstarling31@hotmail.com
> Subject: Re: Multiple userPasswords entries & resetting one value
> CC: openldap-technical@openldap.org
>
> On 05/01/14 21:36 -0400, Michael wrote:
> >I have a user with a SSHA userPassword value as well as a SASL
> >userPassword entry. The SASL entry will never change but I'd like to be
> >able to reset and age the SSHA entry only. Is this aging of only one value
> >possible with ppolicy and is it possible to handle manual resets with
> >ldappasswd and/or utilizing an LDIF file?
>
> By SASL userPassword entry, do you mean a cleartext value, or a
> {SASL}user@domain.com pass-through entry? I'll assume cleartext.
>
> Try setting olcPasswordHash to {SSHA} only. slapd may (or may
> not) leave the cleartext userPassword entry alone. I haven't used that
> case.
>
> A more straight forward approach would be to store your sasl authentication
> material in another sasl auxprop plugin (sasldb or sql) and set
> olcSaslAuxprops appropriately.
>
> --
> Dan White
>