[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ppolicy_hash_cleartext "recommendation" ?
- To: openldap-software@openldap.org
- Subject: ppolicy_hash_cleartext "recommendation" ?
- From: Jesús Couto <jesus.couto@gmail.com>
- Date: Tue, 13 Apr 2010 13:45:18 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:received:message-id :subject:from:to:content-type; bh=MLT46WJAmDzzyWUTLpSl1o4GLdCAPYOmuxm/6ijm7dE=; b=YwquYP5iMfSpGbQXFDLzKIEHbhfPVB18swkEu3W/FiQDl+t9JrbpsjmzvLv5JCsW6l Yk/qhMlvMvOdsr+Q8D0G+JGHU0v5u0CMaGh3reVuzztTPCGhFw5+A32kZjz87eiepmkM LPh9WxH7pa1BKMPWJUTh3TzXE7kjw5zlRsum0=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=Lpc2UPR3WRpLP/TAIQIhf3r7k+zSkwJMzLjF4rmkrHdbKQb+o8zC/SZPFCaHDGwAA2 RYI7LoNqhrR34B/L4E5rw/NeKlEbGCO/6HWJws/4W59Z99anK4VN6oCiB2PyFrMPn8KP N/yJcN4PU4gq34pB3LIxKm1WSa5IiaGkFTaRM=
Hi all.
I've set up an openLDAP directory with the password policy overlay and the ppolicy_hash_cleartext option to ensure cleartext passwords get hashed (as my client request).
But the slapo-ppolicy man page clearly states:
"It is
recommended that when this option is used that compare, search, and read
access be denied to all directory users."
Its this warning about the userPassword attribute only? That is, more or less, the standard configuration, not even the user can read his password, only write. Or this warning applies to all the directory (bit too much?)
Any reason for this warning in particular here? I mean, not letting anybody but the rootdn see the userPassword attribute is a good idea anyway, any particular reason why enabling ppolicy_hash_cleartext makes its extra-good?
Best regards,
------------------------------
Jesús Couto F.