Password Manipulation Through Database
Chuck Yerkes
chuck+baylisa at snew.com
Mon Jul 15 09:52:16 PDT 2002
LDAP.
Even LDAP slowed down and backed by a SQL database. Dunno the state
of support for Informix SQL within OpenLDAP 2.1, but the interface
API is pretty generic (see also section 1.6 of:
http://www.openldap.org/doc/admin21/guide.html
).
I'm not 100% sure on this now, but previous to the back-
modules introduced in 2.1, if you're using SQL to back an LDAP
server (and for speed everyone actually queries a slave server,
not the one bound to slow SQL), it's IMPERATIVE that only LDAP
manipulate the LDAP exposed data. The LDAP server has no way
to "know" that a password has changed, or the mail address is
different. But with SQL you can at least get the plusses of
having various non-LDAP friendly information associated with
data that's living in LDAP.
Solaris 8/9 are quickly depricating that blecherousness that is NIS+.
Quoting David Dull (qkstart at ix.netcom.com):
> I received the following message, to which I have already replied. However,
> it is an interesting thought exercise. How many different ways could this
> be done?
>
> ----- begin message 1 -----
> I have a need to create a mechanism in my application at a client company to
> enable users to change their passwords on a UNIX server from a browser using
> either Active Server Pages (visual basic) or Java Server Pages with Java. I
> use database roles to track user ability to see sensitive data. The initial
> problem is to change the temporary password provided by the UNIX admin
> because it has to be changed prior to being recognized by making a database
> connection using their UserID and password.
>
> As you can guess, the first time the UserID and password is used, the UNIX
> system responds with the request to change it. The second need is to try to
> trap the message from UNIX that indicates that their password is about to
> expire and handle it accordingly.
>
> Unfortunately, we are using Informix rather than Oracle. As you may know,
> Oracle handles the password management, but Informix does not.
> ----- end message 1 -----
>
> I asked him which operating system he was using, and whether a distributed
> authentication method had been implemented.
>
> ----- begin message 2 -----
> Solaris 9. No, don't believe there is any distributed authentication. I
> currently make connections to Informix through ODBC and JDBC with Active
> Server Pages and Java Server Pages respectively. I am making an ODBC
> connection through an active server page using the user name and password
> and then verifying their role assignment for determination of their
> privileges. I could use either ASPs or JSPs to determine the password
> status, and perhaps change it.
> ----- end message 2 -----
>
> --David Dull
> ddull at ieee.org
> http://home.netcom.com/~qkstart/
>
More information about the Baylisa
mailing list