Hi,
I am implementing password policy in my LDAP-based software. When
using Fedora DS I encountered several problems (or questions) :
1) when password expired, no request other than modifying its
userPassword attribute is allowed. Two requests would have been
usefull in my opinion :
* Start TLS : I want to enable TLS just before changing my password, but :
- Start TLS is not allowed, since it is not the only allowed
modify request on userpassword
- After Start TLS (when the password is not expired), it seems
that the connection become sometimes anonymous, and needs a new bind.
I thought only the Stop TLS operation must disable the authentication
on the LDAP connection
* Password Modify Extended operation : I just thought it would be a
good idea to use it to change a password, but it is not allowed
2) when changing the password using a standard ldap modify request, if
I send two modify operations in the same request, the first one to
remove the old password and the second one to add the new password, do
I need to hash the old password for it to be in the same format than
in the directory ?
3) when using the Password Modify Extended operation, then at the next
logon the server requires the user to change its password ! So I
definitly can't use this operation on a server implementing password
policy. I believe that in the Fedora DS password policy code this
operation is only seen as an administration request, not intended to
be done by a user : it is handled as a "force password" request, not a
"change password" request.
4) I use the Novell LDAP client API. Any call to ldap_stop_tls_s
blocks the calling thread. I don't know if it comes from the server,
the client API, or both. It is not too bad since I can just call
ldap_unbind and ldap_init instead.
Fran?ois
