[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ClearText Passwords in slapcat: please provide some inputs

Please don't use phpldapadmin. It is painful trying to help someone who is operating with such a handicap.

Here's what I did to encrypt passwords (with slapd.conf; if you are using OLC you will need to olc-ize this):

moduleload      ppolicy.la
password-hash {CRYPT}
password-crypt-salt-format "$6$%.12s"
overlay ppolicy
ppolicy_default "cn=default_pwpolicy,dc=about,dc=com"

-----Original Message-----
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Manuel Afonso
Sent: Thursday, August 20, 2015 12:44 PM
To: openldap-technical@openldap.org
Subject: ClearText Passwords in slapcat: please provide some inputs

Hi people,

I am using ubuntu and phpldapadmin to manage openldap.

I have here a big issue: when using phpldapadmin/openldap, all the 
times there is (for each user/entry) a field with

cleartextPassword: <cleartextpassword>                   (this is seen 
in slapcat output)

What I want is to put in place a mechanism where there is no plain text 
field with the password in clear in each entry of openldap.

I have read about ppolicy overlay, slappasswd and so on but so far I 
was not able to figure out how to avoid this annoying clear text 
password available when I do a slapcat (as root of course)

Does anybody had such an issue ?

Any ideas or links to point for a solution?

Another question:
is it possible that this clear text password is somehow needed for the 
correct operation of openldap?

Thanks a lot for your time and (I hope) help.

Kind regards,

Manuel - Lisbon PT

This is what I got for the user mafonso (me) when doing a slapcat > 
output :
(as can be seen there is the field cleartextPassword: with pass in 
clear text)

dn: cn=mafonso,ou=***,dc=***,dc=***,dc=***,dc=pt
objectClass: ****Person
objectClass: mailAccount
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: top
givenName: Manuel
sn: Afonso
displayName: Manuel Afonso
cn: mafonso
mailacceptinguser: 1
maildrop: mafonso@***.pt
intranetRole: cn=**,ou=**,ou=**,dc=**,dc=**,dc=**,dc=pt
portalRole: ***
gidNumber: 516
sambaSID: ***
uidNumber: 1399
uid: mafonso
homeDirectory: /home/mafonso
intranetStatus: U
sambaAcctFlags: [UX]
loginShell: /bin/false
mailacceptinggeneralid: mafonso@****
mailacceptinggeneralid: ***@**.**.**.pt
userPassword:: e1N....
cleartextPassword: <cleartextpassword>
sambaNTPassword: D6...
sambaLMPassword: 45...