[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ClearText Passwords in slapcat: please provide some inputs

To: "mafonso@ipfn.tecnico.ulisboa.pt" <mafonso@ipfn.tecnico.ulisboa.pt>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: ClearText Passwords in slapcat: please provide some inputs
From: Albert Braden <abraden@about.com>
Date: Fri, 21 Aug 2015 16:45:57 +0000
Accept-language: en-US
Content-language: en-US
In-reply-to: <1a83bbda2ef84ad348683beb4b50d6d0@ipfn.ist.utl.pt>
References: <1a83bbda2ef84ad348683beb4b50d6d0@ipfn.ist.utl.pt>
Thread-index: AQHQ3BykTnDbCzSnf06t4sgX/KVj1Z4WqEiA
Thread-topic: ClearText Passwords in slapcat: please provide some inputs

Please don't use phpldapadmin. It is painful trying to help someone who is operating with such a handicap.

Here's what I did to encrypt passwords (with slapd.conf; if you are using OLC you will need to olc-ize this):

moduleload      ppolicy.la
password-hash {CRYPT}
password-crypt-salt-format "$6$%.12s"
overlay ppolicy
ppolicy_default "cn=default_pwpolicy,dc=about,dc=com"
ppolicy_hash_cleartext

-----Original Message-----
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Manuel Afonso
Sent: Thursday, August 20, 2015 12:44 PM
To: openldap-technical@openldap.org
Subject: ClearText Passwords in slapcat: please provide some inputs

Hi people,

I am using ubuntu and phpldapadmin to manage openldap.

I have here a big issue: when using phpldapadmin/openldap, all the 
times there is (for each user/entry) a field with

cleartextPassword: <cleartextpassword>                   (this is seen 
in slapcat output)


What I want is to put in place a mechanism where there is no plain text 
field with the password in clear in each entry of openldap.

I have read about ppolicy overlay, slappasswd and so on but so far I 
was not able to figure out how to avoid this annoying clear text 
password available when I do a slapcat (as root of course)

Does anybody had such an issue ?

Any ideas or links to point for a solution?


Another question:
is it possible that this clear text password is somehow needed for the 
correct operation of openldap?



Thanks a lot for your time and (I hope) help.

Kind regards,

Manuel - Lisbon PT



This is what I got for the user mafonso (me) when doing a slapcat > 
output :
(as can be seen there is the field cleartextPassword: with pass in 
clear text)


dn: cn=mafonso,ou=***,dc=***,dc=***,dc=***,dc=pt
objectClass: ****Person
objectClass: mailAccount
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: top
givenName: Manuel
sn: Afonso
displayName: Manuel Afonso
cn: mafonso
mailacceptinguser: 1
maildrop: mafonso@***.pt
intranetRole: cn=**,ou=**,ou=**,dc=**,dc=**,dc=**,dc=pt
...
portalRole: ***
...
gidNumber: 516
sambaSID: ***
uidNumber: 1399
uid: mafonso
homeDirectory: /home/mafonso
intranetStatus: U
sambaAcctFlags: [UX]
loginShell: /bin/false
mailacceptinggeneralid: mafonso@****
mailacceptinggeneralid: ***@**.**.**.pt
userPassword:: e1N....
cleartextPassword: <cleartextpassword>
sambaNTPassword: D6...
sambaLMPassword: 45...

References:
- ClearText Passwords in slapcat: please provide some inputs
  - From: Manuel Afonso <mafonso@ipfn.tecnico.ulisboa.pt>

Prev by Date: Re: ClearText Passwords in slapcat: please provide some inputs
Next by Date: Re: Segmentation fault when overwriting a k/v with MDB_RESERVE ?
Index(es):
- Chronological
- Thread