[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy issues

To: Michael Ströder <michael@stroeder.com>, r0m5 <r0m5@r0m5.eu>, openldap-technical@openldap.org
Subject: Re: ppolicy issues
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Tue, 08 Aug 2017 11:01:13 -0700
Content-disposition: inline
In-reply-to: <WM!25df18181d56c2c688b26bf7ca9af0236d7f67a2b9500fd9613625ac8a4b0abee23c2ad085f53753adc6e82817f55eeb!@mailstronghold-3.zmailcloud.com>
References: <95e031892a64f900ae7096b4a4c990c1@de-rasse.fr> <78eb071c-64d8-9ad0-1fb2-23765e4aab97@stroeder.com> <WM!25df18181d56c2c688b26bf7ca9af0236d7f67a2b9500fd9613625ac8a4b0abee23c2ad085f53753adc6e82817f55eeb!@mailstronghold-3.zmailcloud.com>

--On Tuesday, August 08, 2017 8:46 PM +0200 Michael Ströder<michael@stroeder.com> wrote:

r0m5 wrote:

1) I use "olcPPolicyHashCleartext: TRUE" so the clients send cleartext
passwords and slapd hashes it before writing in database for security
reasons (and slapd can perform password quality checks).


There's a nasty issue with this configuration option when using
slapo-accesslog:

If the client sends the clear-text 'userPassword' value but the password
quality check fails and therefore the modify request fails with
constraintViolation the clear-text 'userPassword' value will be written
to accesslog DB. In case of successful modification only the hashed
'userPassword' value is written to accesslog DB. :-/


Is there an ITS on this?  If not, there should be.

--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

References:
- ppolicy issues
  - From: r0m5 <r0m5@r0m5.eu>
- Re: ppolicy issues
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: ppolicy issues
Next by Date: Re: SASL EXTERNAL binds and sasl-secprops minssf > 0
Index(es):
- Chronological
- Thread