On 2/15/19 2:57 AM, Derek Zhou wrote: > Yeah, adding kerberos is a complexity and you cannot change password > via ldap anymore; has to go through the kerberos route. My notion of > "safe" is only referring to the fact that the password text is not > stored anywhere and the rogue admin cannot read user's passwords.
If you set the password-hash directive in slapd.conf and use the Password Modify extended operation (e.g. via CLI tool ldappasswd) then no clear-text password is stored. Choose a salted hash-scheme. In opposite to that a KDC must store a reversibly encrypted shared secret derived from user's password which can be directly abused in Kerberos protocol if the KDC system gets hacked. > I haven't found a good and up to date howto with step to step > instrutctions on ppolicy with cn=config. I'd appreciate if someone > here give my a pointer. I have no docs at hand which are better than OpenLDAP's admin guide. Ciao, Michael.