[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Storing 'userPassword' encrypted via server settings.

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of don@swbe.com

> I've been wowrking towards setting up several HPUX servers to
> authenticate off
> of openldap.  So far I've got the appropriate schema added so
> that I can run
> through the ldapux setup without problems and hook nss and
> pam into ldap.
> Authentication works, but when changing my password via the
> HPUX passwd command
> it stores the password in clear text on the openldap server.
> I found this note
> from 1999 and wondered if there has been any progress.
> http://www.openldap.org/lists/openldap-bugs/199910/msg00018.html
> Is it possible to change core.schema's attribute type for
> 'userPassword' to
> accomplish server based encryption?

That is what the passwordModify extended operation is for.

> In case it matters I'm running HPUX 11i with LdapUxClient B.03.10

See if the LdapUxClient supports the passwordModify exop. If it doesn't, you
need a different NSS module for LDAP support. The PADL module works well. You
can download these modules pre-built and ready-to-install in the Symas CNS
package on our web site; our HPUX package has already been tested on HPUX

Note - when processing an LDAPModify request, the server is obligated to
store exactly what the client provided. Doing anything else would be a
violation of the service model. On the other hand, the passwordModify
extended operation is intended to do "all the right things" when setting a
password, including encryption.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support