Nick Milas writes:
Based on the fact that the userPassword attribute is NOT single-valued in the schema definition, I was wondering whether there are cases where we could use a double-password approach or if doing that would just cause a mess.
Sure. For example, when you change an entry's password, you may want a grace period where both passwords are accepted. In particular if you have a service which Binds with its own DN and password, and you don't want it to fail while you are changing the passwords at both ends (in the service and in LDAP). You'll have to remember removing the old password yourself though, I don't think OpenLDAP has anything which can remember it for you. Unless the ppolicy overlay can be used for that.
On the other hand,
For example, could we store both a clear-text password (to be used e.g. in DIGEST authentication) AND an encrypted (SSHA or MD5) one for standard use?
Why? The encryption buys you no security when the cleartext password is also available in the same attribute.
OTOH - userPassword is for Simple Bind, while DIGEST means SASL Bind. SASL uses its own subsystems. It can be configured to use passwords from LDAP but need not be. See the Adming Guide at www.openldap.org. I don't know SASL, but I expect it can take the password from some other attribute than userPassword.