Hi,
Le 02/09/2010 23:51, Rob Tanner a écrit :
Hi,
I need to define a secondary password attribute and I’m not sure what to enter in the schema. Is the syntax oid exclusively for searching and therefore, can I omit it (I’m not going to be searching on the password)? Or is the synoid also used for defining how the attribute is stored?
The syntax defines the type of an attribute, ie what is valid data to be stored in it. It is obligatory in an attribute definition.
The 'EQUALITY', 'ORDERING' and 'SUBSTR' rules define which types of searches can be performed on the attribute. If you don't want to allow searches with a filter like (tempPassword=JHJDSQAJREXNR==) then don't include an EQUALITY rule.
So far, what I have is:
attributetype ( 1.3.6.1.4.1.6459.10.2.213 NAME 'tempPassword' DESC 'Temporary password used for resets only' EQUALITY ?? SYNTAX ?? SINGLE-VALUE )
The attribute will be SHA encrypted digest encoded as Base64 (same as the standard userPassword attribute). Any guidance on the schema definition would be most appreciated.
The online OpenLDAP Admin Guide has quite a bit of good information on defining schemas, including common syntaxes:
http://www.openldap.org/doc/admin24/schema.html#Attribute%20Type%20Specifica...
Also, I note that while you can define an attribute that's named tempPassword, it will not be used by OpenLDAP for authentication. 'userPassword' is a special case. Similar behaviour could be achieved by writing an overlay, though, if that's what you want.
Jonathan