[Date Prev][Date Next]
Re: forcing password hash
- To: Jim Boden <email@example.com>
- Subject: Re: forcing password hash
- From: Howard Chu <firstname.lastname@example.org>
- Date: Mon, 19 Dec 2005 15:09:07 -0800
- Cc: OpenLDAP-software@OpenLDAP.org
- In-reply-to: <email@example.com>
- References: <firstname.lastname@example.org>
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051209 SeaMonkey/1.5a
Jim Boden wrote:
That is exactly what I need. Thank you Howard!
Can anyone tell me where are the pwd histories stored? I was working
with another client that spoke exop and found that I could get pwd
expiry to work, but not the quality settings or the history.
They're stored in the user entry, in the pwdHistory operational
attribute. This attribute is fully described in the manpage.
Is there something special that must be added to a user entry? I have
the default policy specified in slapd.conf
Nothing special is needed.
ppolicy_default "cn=Standard Policy,ou=Policies,dc=mycompany,dc=com"
But the users are just posixAccount and shadowAccount types and the
setup I copied from test022.
If I use exop with SSHA does that prevent openldap from doing the
No, the exop only accepts passwords in plaintext and then generates the
hash later. As such, quality checking can always be performed when using
*/Howard Chu <email@example.com>/* wrote:
Kurt D. Zeilenga wrote:
> At 11:57 AM 12/19/2005, Jim Boden wrote:
>> Is there a way to force openldap to hash the userPassword entry
if the client does not?
> As distributed, no. slapd(8) preserves the value of userPassword
> precisely as presented.
>> But if the client does not use exop, is there anything we can
do to force a hash?
> One could, I guess, write an overlay to hash the value on
> behalf of the client.
The ppolicy overlay has a config option to force hashing on
Adds. See slapo-ppolicy(5).
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/