[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password hash in openldap

To: openldap-technical@openldap.org
Subject: Re: Password hash in openldap
From: Dieter Klünter <dieter@dkluenter.de>
Date: Fri, 31 Oct 2008 17:00:57 +0100
Content-disposition: inline
In-reply-to: <4905597A.9020005@hk.fujitsu.com>
References: <4905597A.9020005@hk.fujitsu.com>
User-agent: KMail/1.10.1 (Linux/2.6.25.18-0.2-default; KDE/4.1.2; x86_64; ; )

Am Montag 27 Oktober 2008 07:02:34 schrieb Paul Lee:
> Dear all,
>
> Last time I changes the slapd.conf to restrict anonymous user to see the
> userPassword attribute from 3rd party LDAP browser.  However, our client
> still wants to encrypt/hash the password stored in LDAP because he says
> that he can user other users auth to the LDAP and then can see other
> users' password (e.g. he can see his boss's password).
>
> Since we have the admin portal to change the user password as well,
> seems it can't restrict userpassword attribute by self read/write.
>
> Also, we will use the password policy and restrict users to re-use the
> last 12 passwords.
>
> So, my question is that is it possible to hash the password stored in
> openldap, also, the password stored in the password history is also
> hashed so that even other users can't see the password of others.

man slapo_ppolicy(5)
ppolicy_hash_cleartext, but read the comment in the manual page.

-Dieter
-- 
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E

References:
- Password hash in openldap
  - From: Paul Lee <paul@hk.fujitsu.com>

Prev by Date: create quota to openldap group
Next by Date: GSSAPI Error: An invalid name was supplied (Not enough space)
Index(es):
- Chronological
- Thread