Michael Ströder wrote:
> Emily Backes wrote:
>> It's sounding like the newer and more complicated hashes have a lot of configurable
>> features that may need site-local tuning. Should these be part of e.g. slapd.conf
>> config or be settings embedded in the value format for later clarity, like
>>
>> {HASHNAME:attr=val,attr=val,attr=val}SnVzdCBhbiBleGFtcGxlLCBzaWxseQ==
>
> Somewhat both.
>
> Like in the past the password-hash should allow to set the current local security
> policy for setting new passwords but old password values should still be valid for
> authentication.
This also reminds me of this old RFE:
http://www.openldap.org/its/index.cgi?findid=7981
It might be interesting to extend the ITS to also specify the set of password schemes
still accepted when processing password validation. Well, this could maybe also be done
with value ACLs but...
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature