Hello openldap-technical,

I'm wondering what the OpenLDAP-technical World thinks about LDAP authentication secrets. A couple observations and questions:

1. RFC 4519 allows userPassword to be multi-valued and it gives some rationale which is logical, but it also seems to lack imagination. There seem to be more possibilities for abuse by defining attributeType this way than legitimate use cases. Is there any way to force userPassword to be single-valued? Has anyone attempted this?
   
2. Assuming you decide to ditch passwords, and use TLS EXTERNAL, you still have the problem of storing the key, and the risk that if the key is stolen, than someone other than you can authenticate as you. Of course store it on storage with permissions and ownership of files set correctly. That goes without being said, but storage is not always perfectly secure or private, so let's not trust it completely. Short lifetimes would be one mitigation. And CRLs of course. What else do people do?
   
3. Is there anyway to have ldap* commands read the key in from an environment variable or call to gpg/secrets store /etc? Funky alias / bash-wrapper yeah but I'm looking for something less clunky.
   

many thanks,

Chris Paul | Rex Consulting | https://www.rexconsulting.net