[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Passwords in DIT after MOD from Solaris Client

To: openldap-technical@openldap.org
Subject: Re: Passwords in DIT after MOD from Solaris Client
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 22 Nov 2010 12:39:08 +0100
Cc: Ben Rockwood <benr@cuddletech.com>
In-reply-to: <4CEA36EB.6070404@cuddletech.com>
References: <4CEA36EB.6070404@cuddletech.com>
User-agent: KMail/1.13.3 (Linux/2.6.33.7-desktop-2.1mnb; KDE/4.4.3; x86_64; ; )

On Monday, 22 November 2010 10:24:59 Ben Rockwood wrote:
> Hello,
> 
>  I'm using pam_ldap on a Solaris 10 client and an OpenLDAP server.
> Everything works great, with one little exception.
> 
>  I can create new accounts from an LDIF specifying the password as
> {SSHA} and everything works fine.  Users can login, etc.  However, if a
> user changes their password from Solaris ('passwd -r ldap') the password
> is now stored in the directory as plaintext.  The user can still login,
> change their password, etc, it works fine... but I don't want plaintext
> passwords in the directory.
> 
>  I tried adding "password-hash   {SSHA}" to slapd.conf, but that didn't
> do anything... nor would I expect it to because its the default setting.

This affects:
-the default hash used by slappasswd
-the hash used by clients when they perform a PASSMOD operation.

>  Can anyone point me in the right direction?

For a normal modify, nothing is done by default. However you can (ab)use the 
ppolicy overlay, and the 'ppolicy_hash_cleartext' option, which will result in 
the 'password-hash' being applied to cleartext values of userPassword on 
modifies.

Regards,
Buchan

Follow-Ups:
- Re: Passwords in DIT after MOD from Solaris Client
  - From: Ben Rockwood <benr@cuddletech.com>

References:
- Passwords in DIT after MOD from Solaris Client
  - From: Ben Rockwood <benr@cuddletech.com>

Prev by Date: RE: back-ldap core dump
Next by Date: About locked LDAP user
Index(es):
- Chronological
- Thread