2009/11/9 David Rosenstrauch <[email protected]>: > Hi. Came upon your ldap tools recently and I'm finding them extremely > useful in administering our openldap server. (I'm using both check_password > and self-service-password.) Great stuff, and thanks for the hard work - and > for open sourcing it for the rest of us! > > I'm having a problem when using the self-service-password app in conjunction > with check_password, though, which I was hoping you might be able to help > with. > > The self-service-password GUI is working fine (using $hash = "clear"), and > the check-password util is able to properly enforce our password complexity > requirements. However, when openldap saves the new self service password, > it's saving it in clear text, which is definitely NOT what I want. > > I'm not sure how to work around this problem. If I change the > self-service-password config to send SSHA passwords, then check_password > won't be able to validate new passwords, so that's not an option. > > This problem doesn't seem happen for some reason when I change a password > using the command line LDAP client (ldappasswd). When I use that, openldap > both validates the password complexity with check_password and saves it as > SSHA. > > Anyone know how I can work around this issue and get all 3 of > self-service-password, check-password, and storing passwords as SSHA working > together? Is there perhaps some setting in either self-service-password or > openldap itself that can make this happen? >
Hi, David opened this issue here: http://tools.lsc-project.org/issues/show/143 The issue is now closed, by using the ppolicy_hash_cleartext option of overlay ppolicy. Thanks to David for its feedback. This should be soon documented on the wiki. Clément. _______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
