On 3/28/22 10:55, Ondřej Kuzník wrote:
On Fri, Mar 25, 2022 at 06:25:23PM +0100, Michael Ströder wrote:
Or you're verifying the password hash and password policy yourself. This would require that the LDAP client has read access to password hashes.
Or in case the server is a recent OpenLDAP slapd then you might want to look into using the Verify Credentials extended operation.
AFAIK you don't even need to do that, the behera ppolicy draft suggests[0] Compares should be processed in a very similar way without destroying connection state and ppolicy implements that.
I'd very much appreciate if that would work.
But it doesn't:
https://bugs.openldap.org/show_bug.cgi?id=4366
Any chance to see this implemented in 2.6.x?
Not sure about the ACL requirements but that should be easy to figure out.
The argument against using COMPARE operation was always that it violates the X.500 model. But I disagree because userPassword should not be readable (by ACL) and there's ppolicy_hash_cleartext anyway.
Ciao, Michael.