[RCD] [PATCH] password plugin driver for ldappasswd(1)

Dima Dorfman dima+rcd at trit.net
Wed Sep 3 12:05:43 CEST 2014


Hello,

I wrote a backend for the password plugin that uses OpenLDAP's
ldappasswd(1). My motivation for this was to remove the requirement to
retrieve the user's full LDAP record, which our policy does not allow,
but this method is also easier to configure, obviates the need for php
to be able to produce the password hash, and supports a more complete
range of password storage and authentication options (e.g. SASL binds)

In particular, this might satisfy New Feature Request #1486349:
password plugin: using LDAP EXOP for changing passwords (RFC3062)

>From the comments:

* Advantages of this method:
*  - No extra configuration if OpenLDAP/ldappasswd are already configured
*  - Indifferent to password storage (attribute) and hashing details
*  - Future-proof: supports everything ldappasswd(1) can do now, and later
*  - TLS/SSF verification is done by OpenLDAP according to system settings
*  - Uses PASSMOD extended operation; no need to retrieve full user record

Please review. If possible, I would like to see this in the main tree so
I don't have to maintain it locally

Patch attached

Cheers,

-- 
Dima
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rc-ldappasswd.diff
Type: text/x-patch
Size: 6646 bytes
Desc: not available
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20140903/9e772028/attachment.bin>


More information about the dev mailing list