[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Storing 'userPassword' encrypted via server settings.
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of don@swbe.com
> I've been wowrking towards setting up several HPUX servers to
> authenticate off
> of openldap. So far I've got the appropriate schema added so
> that I can run
> through the ldapux setup without problems and hook nss and
> pam into ldap.
> Authentication works, but when changing my password via the
> HPUX passwd command
> it stores the password in clear text on the openldap server.
> I found this note
> from 1999 and wondered if there has been any progress.
>
> http://www.openldap.org/lists/openldap-bugs/199910/msg00018.html
>
> Is it possible to change core.schema's attribute type for
> 'userPassword' to
> accomplish server based encryption?
That is what the passwordModify extended operation is for.
> In case it matters I'm running HPUX 11i with LdapUxClient B.03.10
See if the LdapUxClient supports the passwordModify exop. If it doesn't, you
need a different NSS module for LDAP support. The PADL module works well. You
can download these modules pre-built and ready-to-install in the Symas CNS
package on our web site; our HPUX package has already been tested on HPUX
11i.
Note - when processing an LDAPModify request, the server is obligated to
store exactly what the client provided. Doing anything else would be a
violation of the service model. On the other hand, the passwordModify
extended operation is intended to do "all the right things" when setting a
password, including encryption.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support