Hi Jens,
First of all, let me say that you might get more responses to IAM related questions on the IAM specific community group. Direct link:
https://ibm.biz/iamcommunity On this question, I'm pretty sure what you are asking is not possible natively in SDS (unless there is some custom extension point I don't know about).
You could write your own code client-side using compare (as you suggested) but not sure if you can have other fields hashed like the password. Hashing (vs encryption) is an important part of password security. Someone else will have to comment on that.
You compared this function to Windows password/PIN but isn't that function mainly to support a central account password and a local PIN - ie the two mechanisms are related to different storage locations and purposes?
I'm struggling with the purpose of two different passwords for the same account. The user, and any attacker, would surely only ever use the shorter one?
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Fri June 19, 2020 06:50 AM
From: Jens Petersen
Subject: Using a PIN as password with LDAP BIND
Hi all,
reading through the SDS 8.1 documentation I found that you can use any unique attribute to bind but still need the password attribute. Also with the supplied SASL I couldn't find an option using any attribute to store a pinned use it like a password. I probably could use LDAP_COMPARE and create my own code but thought there might be an option with LDAP_BIND. The idea is using a PIN and/or a password like you can with Windows. Any suggestiones?
THX,
Jens
------------------------------
Jens Petersen
------------------------------