[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy_hash_cleartext "recommendation" ?



Hi all.

I've set up an openLDAP directory with the password policy overlay and the ppolicy_hash_cleartext option to ensure cleartext passwords get hashed (as my client request).

But the slapo-ppolicy man page clearly states:

"It is recommended that when this option is used that compare, search, and read access be denied to all directory users."

Its this warning about the userPassword attribute only? That is, more or less, the standard configuration, not even the user can read his password, only write. Or this warning applies to all the directory (bit too much?)

Any reason for this warning in particular here? I mean, not letting anybody but the rootdn see the userPassword attribute is a good idea anyway, any particular reason why enabling ppolicy_hash_cleartext makes its extra-good?

Best regards,

------------------------------

Jesús Couto F.