Re: {CRYPT} password to {SHA}

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Thursday 05 June 2008 21:42:57 Hallvard B Furuseth wrote:
> Jeroen van Aart writes:
> > I know about the password policy. It's a bit problematic to implement
> > into the existing system. The main issue I remember is that I wanted to
> > implement the policy for select groups, ou=People for example, but NOT
> > ou=FTPusers or ou=Virtual since those accounts can't readily change the
> > password. I couldn't find a way to do that.
>
> For that particular proble, if by "groups" you mean LDAP subtrees: You
> can put ou=People in a separate database in slapd.conf and mark it as
> "subordinate" of its parent database so they'll be glued together and
> act as one database.  Though since you mention synchronisation, there
> were or are some bugs with combining syncrepl with the glue overlay
> which "subordinate" makes use of.  The latest 2.4.* releases including
> the upcoming 2.4.10 have a number of syncrepl fixes.

Or, you can have one default policy, and override it (by setting the 
pwdPolicySubentry to the other policy) on all the entries which should not 
use the default policy. Which one you make the default, you will have to 
decide.

Regards,
Buchan