[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing password hash

Jim Boden wrote:
That is exactly what I need. Thank you Howard!

Can anyone tell me where are the pwd histories stored? I was working with another client that spoke exop and found that I could get pwd expiry to work, but not the quality settings or the history.

They're stored in the user entry, in the pwdHistory operational attribute. This attribute is fully described in the manpage.

Is there something special that must be added to a user entry? I have the default policy specified in slapd.conf

Nothing special is needed.

overlay ppolicy ppolicy_default "cn=Standard Policy,ou=Policies,dc=mycompany,dc=com" ppolicy_use_lockout

But the users are just posixAccount and shadowAccount types and the setup I copied from test022.

If I use exop with SSHA does that prevent openldap from doing the quality checking?

No, the exop only accepts passwords in plaintext and then generates the hash later. As such, quality checking can always be performed when using the exop.


*/Howard Chu <hyc@symas.com>/* wrote:

    Kurt D. Zeilenga wrote:
    > At 11:57 AM 12/19/2005, Jim Boden wrote:
    >> Is there a way to force openldap to hash the userPassword entry
    if the client does not?
    > As distributed, no. slapd(8) preserves the value of userPassword
    > precisely as presented.
    >> But if the client does not use exop, is there anything we can
    do to force a hash?
    > One could, I guess, write an overlay to hash the value on
    > behalf of the client.
    The ppolicy overlay has a config option to force hashing on
    Modifies and
    Adds. See slapo-ppolicy(5).

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/