On 3/12/21 6:23 PM, Benjamin Renard wrote: > Hi, > > Le 12/03/2021 à 17:53, Michael Ströder a écrit : >> On 3/12/21 5:20 PM, Benjamin Renard wrote: >>> In one of my OpenLDAP installation, I'm start using Ppolicy overlay and >>> it's doesn't allow me to store multiple passwords in userPassword >>> attribute as possible in regular situation. >> >> What's your use-case? Up to now 100% of the concepts I saw relying on >> multiple user password were seriously flawed. >> >>> I'm looking for a solution >>> that allowing me to keep using Ppolicy and have possibility to store an >>> alternative user password (usually used by admins). >> >> Ouch! >> >> Many security regulations forbid especially this admin impersonation to >> arbitrary user accounts. And there are many good reasons for that. > > This is my use-case and I'm agree with you that its not a regular > situation. I have any responsibility of this choice and I just try to > answer to this historical use-case in a Ppolicy context. I'm seeing any > technical reason to impossibly achieve this requirement.
Ask yourself: How should password policy, e.g. correct password expiry, be applied to multiple, independently set userPassword values? You could of course hack your own slapo-ppolicy which does that with additional meta data. Good luck. But I strongly recommend to get rid of this flawed use-case now by designing a more secure support process. Ciao, Michael.
