Hello,
I wrote a backend for the password plugin that uses OpenLDAP's ldappasswd(1). My motivation for this was to remove the requirement to retrieve the user's full LDAP record, which our policy does not allow, but this method is also easier to configure, obviates the need for php to be able to produce the password hash, and supports a more complete range of password storage and authentication options (e.g. SASL binds)
In particular, this might satisfy New Feature Request #1486349: password plugin: using LDAP EXOP for changing passwords (RFC3062)
From the comments:
- Advantages of this method:
- No extra configuration if OpenLDAP/ldappasswd are already configured
- Indifferent to password storage (attribute) and hashing details
- Future-proof: supports everything ldappasswd(1) can do now, and later
- TLS/SSF verification is done by OpenLDAP according to system settings
- Uses PASSMOD extended operation; no need to retrieve full user record
Please review. If possible, I would like to see this in the main tree so I don't have to maintain it locally
Patch attached
Cheers,
On 09/03/2014 12:05 PM, Dima Dorfman wrote:
Please review. If possible, I would like to see this in the main tree so I don't have to maintain it locally
Looks good. Remove license header (plugin license will be used) and create pull request on github.
-
A.L.E.C -
Dima Dorfman