Hi,
Is it possible to create an ACL entry that will allow only the first value of an attribute to be read ( an example would be nice ) ?
For example having userPassword with a first value using MD5 hashing and a second value as plain text. We plan on replicating that object but we don't want to include the plain text value of the attribute userPassword.
Using another attribute to store the user's password is out of the question.
We need to add plain text passwords for some users in a country that use Active Directory ( AD password sync ).
Thx!
On Wed, 1 Aug 2012, Andrei B?NARU wrote:
Is it possible to create an ACL entry that will allow only the first value of an attribute to be read ( an example would be nice ) ?
For example having userPassword with a first value using MD5 hashing and a second value as plain text. We plan on replicating that object but we don't want to include the plain text value of the attribute userPassword.
"First value," no. Ordering isn't guaranteed, you're setting yourself up for pain if you make security policy around that.
But if you have {MD5}something and {SHA1}else, then you have something programatic to work with. As a result of ITS#3446 (ancient history at this point) you should be able to use an ACL like:
access to * attrs=userPassword val.regex=@@WhatYouWant@@ by [...]
to restrict {MD5} or {SHA1} or whatever.
openldap-technical@openldap.org