What i did is that: With each user (Uid) , i created multiple "userpassword attribute" values, <br><div class="gmail_quote"><div><br></div><div>then, while authenticating, OpenLDAP will compare the input password with all the created password values --one by one</div>
<div><br></div><div>If the input matched any one of the created pass => Access - Accept </div><div><br></div><div>I also know that my scenario is somehow strange and not good, but it is really what i need! </div><div>
<br>
</div><div>My policy is : with 1 user, just sends one pass in the "password pool" for his authentication becoming successfully </div><div>(Access - Accept) </div><div><br></div><div>Regards! </div><div><br><div class="gmail_quote">
Vào 22:31 Ngày 18 tháng 11 năm 2011, John Dennis <span dir="ltr"><<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>></span> đã viết:<div><div></div><div class="h5"><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>On 11/18/2011 06:20 AM, Duong Manh Truong wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
Thanks for your reply :)<br>
<br>
I have a better news that: By using OpenLDAP for FR Authen & Authorization<br>
=> I can configure multiple passwords for each user (Uid)<br>
and use 1 of those passwords for successfully Authentication!<br>
<br>
Although it is done manually now, but somehow it solves the matter !<br>
<br>
If anyone have experienced this, please give some advices !<br>
Example: How to do it automatically or<br>
How to create a pool of passwords then use the pool for multiple users :)<br>
</blockquote>
<br></div>
Not exactly sure what you did, ldap does have the concept of multi-valued attributes but that won't be of any use to you even if you set multiple values for one attribute type (e.g. name). Why? The radius server can only use one password for a user, not exactly sure what it will do if it get more than one back from ldap, I assume it just picks the first one (where first is probably non-deterministic).<br>
<br>
The bottom line is there must be a one-to-one mapping between users and passwords. User's should have just one password, this is good practice. If you want to write custom code you can bypass the limitation but really really don't want to do that.<br>
<br>
Accept it as a given, 1 user, 1 password<br>
<br>
Also please be courteous and trim your emails of non-relevant text.<br><font color="#888888">
<br>
-- <br>
John Dennis <<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>><br>
<br>
Looking to carve out IT costs?<br>
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a><br>
</font></blockquote></div></div></div><br>
</div>
</div><br>