[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Passwords in DIT after MOD from Solaris Client

On 11/22/10 3:39 AM, Buchan Milne wrote:
> On Monday, 22 November 2010 10:24:59 Ben Rockwood wrote:
>> Hello,
>>  I'm using pam_ldap on a Solaris 10 client and an OpenLDAP server.
>> Everything works great, with one little exception.
>>  I can create new accounts from an LDIF specifying the password as
>> {SSHA} and everything works fine.  Users can login, etc.  However, if a
>> user changes their password from Solaris ('passwd -r ldap') the password
>> is now stored in the directory as plaintext.  The user can still login,
>> change their password, etc, it works fine... but I don't want plaintext
>> passwords in the directory.
>>  I tried adding "password-hash   {SSHA}" to slapd.conf, but that didn't
>> do anything... nor would I expect it to because its the default setting.
> This affects:
> -the default hash used by slappasswd
> -the hash used by clients when they perform a PASSMOD operation.
>>  Can anyone point me in the right direction?
> For a normal modify, nothing is done by default. However you can (ab)use the 
> ppolicy overlay, and the 'ppolicy_hash_cleartext' option, which will result in 
> the 'password-hash' being applied to cleartext values of userPassword on 
> modifies.

Works beautifully, thanks Buchan!