Re: forcing password hash

[Howard Chu <hyc@symas.com>]

Jim Boden wrote:
> That is exactly what I need. Thank you Howard!
>
> Can anyone tell me where are the pwd histories stored? I was working 
> with another client that spoke exop and found that I could get pwd 
> expiry to work, but not the quality settings or the history.

They're stored in the user entry, in the pwdHistory operational 
attribute. This attribute is fully described in the manpage.
> Is there something special that must be added to a user entry? I have 
> the default policy specified in slapd.conf

Nothing special is needed.
> overlay ppolicy
> ppolicy_default "cn=Standard Policy,ou=Policies,dc=mycompany,dc=com"
> ppolicy_use_lockout
>
> But the users are just posixAccount and shadowAccount types and the 
> setup I copied from test022.
>
> If I use exop with SSHA does that prevent openldap from doing the 
> quality checking?

No, the exop only accepts passwords in plaintext and then generates the 
hash later. As such, quality checking can always be performed when using 
the exop.
> Thanks,
> Jim
>  
>
> */Howard Chu <hyc@symas.com>/* wrote:
>
>     Kurt D. Zeilenga wrote:
>     > At 11:57 AM 12/19/2005, Jim Boden wrote:
>     >
>     >> Is there a way to force openldap to hash the userPassword entry
>     if the client does not?
>     >>
>     >
>     > As distributed, no. slapd(8) preserves the value of userPassword
>     > precisely as presented.
>     >
>     >
>     >> But if the client does not use exop, is there anything we can
>     do to force a hash?
>     >>
>     >
>     > One could, I guess, write an overlay to hash the value on
>     > behalf of the client.
>     >
>     >
>     The ppolicy overlay has a config option to force hashing on
>     Modifies and
>     Adds. See slapo-ppolicy(5).


--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/