[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Passwords in DIT after MOD from Solaris Client
On Monday, 22 November 2010 10:24:59 Ben Rockwood wrote:
> Hello,
>
> I'm using pam_ldap on a Solaris 10 client and an OpenLDAP server.
> Everything works great, with one little exception.
>
> I can create new accounts from an LDIF specifying the password as
> {SSHA} and everything works fine. Users can login, etc. However, if a
> user changes their password from Solaris ('passwd -r ldap') the password
> is now stored in the directory as plaintext. The user can still login,
> change their password, etc, it works fine... but I don't want plaintext
> passwords in the directory.
>
> I tried adding "password-hash {SSHA}" to slapd.conf, but that didn't
> do anything... nor would I expect it to because its the default setting.
This affects:
-the default hash used by slappasswd
-the hash used by clients when they perform a PASSMOD operation.
> Can anyone point me in the right direction?
For a normal modify, nothing is done by default. However you can (ab)use the
ppolicy overlay, and the 'ppolicy_hash_cleartext' option, which will result in
the 'password-hash' being applied to cleartext values of userPassword on
modifies.
Regards,
Buchan