Fran?ois Beretti wrote: > Hi, > > I am implementing password policy in my LDAP-based software. When > using Fedora DS I encountered several problems (or questions) : > > 1) when password expired, no request other than modifying its > userPassword attribute is allowed. Two requests would have been > usefull in my opinion : > > * Start TLS : I want to enable TLS just before changing my password, > but : > - Start TLS is not allowed, since it is not the only allowed > modify request on userpassword Can you do the StartTLS extended operation first, before the bind request, then the password modify? > - After Start TLS (when the password is not expired), it seems > that the connection become sometimes anonymous, and needs a new bind. I'm not sure what you mean. Can you elaborate on this? > I thought only the Stop TLS operation must disable the authentication > on the LDAP connection Do you mean authentication or transport encryption? > > * Password Modify Extended operation : I just thought it would be a > good idea to use it to change a password, but it is not allowed Even if you do this as the first operation, before the bind? > > 2) when changing the password using a standard ldap modify request, if > I send two modify operations in the same request, the first one to > remove the old password and the second one to add the new password, do > I need to hash the old password for it to be in the same format than > in the directory ? No. You should not send pre-hashed passwords, you should let the DS hash the passwords. > > 3) when using the Password Modify Extended operation, then at the next > logon the server requires the user to change its password ! So I > definitly can't use this operation on a server implementing password > policy. I believe that in the Fedora DS password policy code this > operation is only seen as an administration request, not intended to > be done by a user : it is handled as a "force password" request, not a > "change password" request. Hmm - that could be a bug in that we perhaps do not reset the password expiration time. It's supposed to - it goes through the same code as regular password modify. > > 4) I use the Novell LDAP client API. Any call to ldap_stop_tls_s > blocks the calling thread. I don't know if it comes from the server, > the client API, or both. It is not too bad since I can just call > ldap_unbind and ldap_init instead. > > > Fran?ois > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20070427/5cae1307/attachment.bin
