[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy_hash_cleartext also hashing hashes?

Hi all

I seem to have a problem when using the ppolicy_hash_cleartext directive from the ppolicy overlay.

When is set a password like this:

ldapmodify << EOF
userPassword: thepassword


all works well and I get a hashed value in the directory.
When I set the password using ldappasswd, it gets set correctly, too.
Then, I wanted to import entries from a sunone directory into my openldap server, where passwords where stored as SSHA hashes:

ldapsearch -h sunone | ldapmodify -h openldap

and that made the ppolicy module apparently hashing the already hashed values from the sunone server, none of the passwords were working afterwards. After disabling ppolicy_hash_cleartext and re-importing, they all worked fine.

Is it the case that, when having ppolicy_hash_cleartext enabled, you cannot simply set passwords using

ldapmodify << EOF
userPassword: {SSHA}ETo0sDZO81GuyfenQ6xTC+Kb8gzSbBBj


, as they always will be rehashed? And if this is the case, is this considered a bug or a given fact. I would have thought the overlay could find out by checking the string for an initial {ALG}, that the password given is already hashed, like the password verifying routine assumedly has to.