Re: Storing 'userPassword' encrypted via server settings.

[dbroady@lexmark.com]

Hello.

With OpenLDAP-2.2.2, you can write a SLAPI plugin that can accomplish that feat.  I am currently trying to get the LDAP_CONTROL_PWEXPIRED & LDAP_CONTROL_PWEXPIRING controls added in.  To accomplish this, I had to resort to a prebind plugin instead of the pre-results plugin because you can't add result controls with pre-result plugins.

To do what you want, you would have to write a pre-modify plugin that looks to see what is being modified.  If it's the userPassword, then you take the value given you by the client and encrypt it based on the strategy that you choose.  All other attributes I would ignore.

Darin Broady

Sent by:        owner-openldap-software@OpenLDAP.org

To:        "'openldap-software@OpenLDAP.org'" <openldap-software@OpenLDAP.org>
cc:        
Subject:        Storing 'userPassword' encrypted via server settings.




I've been wowrking towards setting up several HPUX servers to authenticate off
of openldap.  So far I've got the appropriate schema added so that I can run
through the ldapux setup without problems and hook nss and pam into ldap.
Authentication works, but when changing my password via the HPUX passwd command
it stores the password in clear text on the openldap server.  I found this note
from 1999 and wondered if there has been any progress.

http://www.openldap.org/lists/openldap-bugs/199910/msg00018.html

Is it possible to change core.schema's attribute type for 'userPassword' to
accomplish server based encryption?

In case it matters I'm running HPUX 11i with LdapUxClient B.03.10

Thanks!