[Luma-users] feature request: use EXOP for password changes

[Andreas H. <aha...@te...>]

OpenLDAP supports an EXOP for password changes. This means the hash
is not done by the client, but by the server with whatever scheme the
server is configured to use.

This could be added to the password change dialog as another option
(called "exop" or "use extended operation", for example) among the
schemes that are already there.

One benefit of this is for when one uses openldap's new password policy
overlay, which intercepts password changes and applies policies to them.
If supplying the password already as a hash, the policy can't be applied
because the clear text password is unknown. But if using exop, the
password is provided in clear text and the server can then test it for
the security policies that were configured. And, if the new password
passes the tests, it gets hashed by the server and stored.

The other benefit is that there is no risk of ever using a hash
algorithm or implementation that the server happens to not support.

There are some workarounds one can use while exop is not implemented in
luma: select "clear text" in luma and enable ppolicy_hash_cleartext on
the server. It's description says (emphasis mine):

       ppolicy_hash_cleartext
              Specify that cleartext  passwords  present  in  Add  and  Modify
              requests  should  be hashed before being stored in the database.
              This violates the  X.500/LDAP  information  model,  but  may  be
              needed  to  compensate for LDAP clients that don't use the Pass-
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
              word Modify extended operation to manage passwords.  It is  rec-
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
              ommended that when this option is used that compare, search, and
              read access be denied to all directory users.