[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: MD5 password hash with ppolicy

To: openldap-technical@openldap.org
Subject: Re: MD5 password hash with ppolicy
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Wed, 23 Dec 2009 11:01:58 +0100
Cc: Joe Friedeggs <friedeggs44@hotmail.com>
In-reply-to: <BLU143-W3763BB0699FE415B96C87DA5810@phx.gbl>
References: <BLU143-W3763BB0699FE415B96C87DA5810@phx.gbl>
User-agent: KMail/1.12.2 (Linux/2.6.31.5-desktop-1mnb; KDE/4.3.2; x86_64; ; )

On Tuesday, 22 December 2009 23:25:21 Joe Friedeggs wrote:
> I am working (with RH via Dell support) to solve an issue (that I believe
>  to be a pam_ldap issue).  The problem is that the password policy control
>  messaging does not occur when I set 'pam_password md5', thus the Linux
>  client never knows that the password expires.

Works fine here with pam_ldap 183 and:

pam_password exop
pam_lookup_policy yes

(Well, I would really prefer if pam_ldap prompted to change the password while 
there are still grace logins left, instead of waiting until they are all used 
... I'll file a bug on that).

> They have informed me that the password policy overlay in LDAP requires
>  clear-text passwords, and will not handle the password policy stuff if the
>  password is hashed.  This makes no sense to me, since ppolicy is only
>  handling expiry times, etc. and pam is handling the rest (length,
>  strength, etc., prior to hash).
> 
> Does the ppolicy overlay require clear-text?

Only if you want it to enforce password quality, but then you should use 
pam_password exop, or set 'ppolicy_hash_cleartext yes' in slapd.conf so that 
cleartext passwords are hashed on the server.

Regards,
Buchan

References:
- MD5 password hash with ppolicy
  - From: Joe Friedeggs <friedeggs44@hotmail.com>

Prev by Date: MD5 password hash with ppolicy
Next by Date: LDAPS queries in C/C++ - conceptual question
Index(es):
- Chronological
- Thread