[Date Prev][Date Next]
Re: MD5 password hash with ppolicy
On Tuesday, 22 December 2009 23:25:21 Joe Friedeggs wrote:
> I am working (with RH via Dell support) to solve an issue (that I believe
> to be a pam_ldap issue). The problem is that the password policy control
> messaging does not occur when I set 'pam_password md5', thus the Linux
> client never knows that the password expires.
Works fine here with pam_ldap 183 and:
(Well, I would really prefer if pam_ldap prompted to change the password while
there are still grace logins left, instead of waiting until they are all used
... I'll file a bug on that).
> They have informed me that the password policy overlay in LDAP requires
> clear-text passwords, and will not handle the password policy stuff if the
> password is hashed. This makes no sense to me, since ppolicy is only
> handling expiry times, etc. and pam is handling the rest (length,
> strength, etc., prior to hash).
> Does the ppolicy overlay require clear-text?
Only if you want it to enforce password quality, but then you should use
pam_password exop, or set 'ppolicy_hash_cleartext yes' in slapd.conf so that
cleartext passwords are hashed on the server.