[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: MD5 password hash with ppolicy

On Tuesday, 22 December 2009 23:25:21 Joe Friedeggs wrote:
> I am working (with RH via Dell support) to solve an issue (that I believe
>  to be a pam_ldap issue).  The problem is that the password policy control
>  messaging does not occur when I set 'pam_password md5', thus the Linux
>  client never knows that the password expires.

Works fine here with pam_ldap 183 and:

pam_password exop
pam_lookup_policy yes

(Well, I would really prefer if pam_ldap prompted to change the password while 
there are still grace logins left, instead of waiting until they are all used 
... I'll file a bug on that).

> They have informed me that the password policy overlay in LDAP requires
>  clear-text passwords, and will not handle the password policy stuff if the
>  password is hashed.  This makes no sense to me, since ppolicy is only
>  handling expiry times, etc. and pam is handling the rest (length,
>  strength, etc., prior to hash).
> Does the ppolicy overlay require clear-text?

Only if you want it to enforce password quality, but then you should use 
pam_password exop, or set 'ppolicy_hash_cleartext yes' in slapd.conf so that 
cleartext passwords are hashed on the server.