12:40 p.m.
Hello,
Currently I have ldap entries with 2 userPassword attributes. One is a regular SHA
password which the other one delegates to sasl. However this results in all entries
binding through sasl rather than locally. I need some entries to default to sasl and other
entries to default to SHA but still failover to the other password entry. Is this possible
through openldap?
Thanks,
Jeremy
--
Jeremy Diaz
Rex Consulting, Inc
5652 Florence Terrace, Oakland, CA 94611
email: jeremy.diaz(a)rexconsulting.net
web: [ http://www.rexconsulting.net/ | http://www.rexconsulting.net ]
phone, toll-free: +1 (888) 403-8996 EXT: 5
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of,
or taking of any action in reliance upon, this information by persons
or entities other than the intended recipient is prohibited.
Rex Consulting, Inc. has been a California Corporation since 2001.
6:20 a.m.
Le 2019-11-20 21:40, Jeremy Diaz a écrit :
Hello,
Currently I have ldap entries with 2 userPassword attributes. One is a
regular SHA password which the other one delegates to sasl. However
this
results in all entries binding through sasl rather than locally. I
need
some entries to default to sasl and other entries to default to SHA
but
still failover to the other password entry. Is this possible through
openldap?
Hello Jeremy,
I have done some tests. I confirm that you can have 2 userPassword
values, one SASL and the other regular. When you BIND with a password,
it seems all values are tested, and if one match, then the BIND is
successful. I don't see how you can select an order in the passwords.
But why is it a problem? With this setup, you can use SASL or regular
password for an entry, and the failback will work.
--
Clément Oudot
Worteks - https://www.worteks.com
5:56 a.m.
Hi Clement,
Thanks for the response. It's an issue because there are certain accounts we want to
auth directly with ldap since using sasl is much slower. However, with our current setup
they are all going through sasl first.
Is ldap unable to assign a priority to a password entry?
Thanks,
Jeremy
----- Original Message -----
From: "Clément Oudot" <clement.oudot(a)worteks.com>
To: "Jeremy Diaz" <jeremy.diaz(a)rexconsulting.net>
Cc: "openldap-technical" <openldap-technical(a)openldap.org>
Sent: Tuesday, November 26, 2019 9:20:25 AM
Subject: Re: Is there a way to set a preference on entries with multiple userPassword
attributes?
Le 2019-11-20 21:40, Jeremy Diaz a écrit :
Hello,
Currently I have ldap entries with 2 userPassword attributes. One is a
regular SHA password which the other one delegates to sasl. However
this
results in all entries binding through sasl rather than locally. I
need
some entries to default to sasl and other entries to default to SHA
but
still failover to the other password entry. Is this possible through
openldap?
Hello Jeremy,
I have done some tests. I confirm that you can have 2 userPassword
values, one SASL and the other regular. When you BIND with a password,
it seems all values are tested, and if one match, then the BIND is
successful. I don't see how you can select an order in the passwords.
But why is it a problem? With this setup, you can use SASL or regular
password for an entry, and the failback will work.
--
Clément Oudot
Worteks -
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.worteks.com&...
----------
This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the
following link to report this email as spam:
https://us1.proofpointessentials.com/index01.php?mod_id=11&mod_option...
1204
days inactive
1217
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Clément Oudot -
Jeremy Diaz