[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password hash in openldap



Am Montag 27 Oktober 2008 07:02:34 schrieb Paul Lee:
> Dear all,
>
> Last time I changes the slapd.conf to restrict anonymous user to see the
> userPassword attribute from 3rd party LDAP browser.  However, our client
> still wants to encrypt/hash the password stored in LDAP because he says
> that he can user other users auth to the LDAP and then can see other
> users' password (e.g. he can see his boss's password).
>
> Since we have the admin portal to change the user password as well,
> seems it can't restrict userpassword attribute by self read/write.
>
> Also, we will use the password policy and restrict users to re-use the
> last 12 passwords.
>
> So, my question is that is it possible to hash the password stored in
> openldap, also, the password stored in the password history is also
> hashed so that even other users can't see the password of others.

man slapo_ppolicy(5)
ppolicy_hash_cleartext, but read the comment in the manual page.

-Dieter
-- 
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E