From: Andreas H. <aha...@te...> - 2006-04-26 14:56:02
|
OpenLDAP supports an EXOP for password changes. This means the hash is not done by the client, but by the server with whatever scheme the server is configured to use. This could be added to the password change dialog as another option (called "exop" or "use extended operation", for example) among the schemes that are already there. One benefit of this is for when one uses openldap's new password policy overlay, which intercepts password changes and applies policies to them. If supplying the password already as a hash, the policy can't be applied because the clear text password is unknown. But if using exop, the password is provided in clear text and the server can then test it for the security policies that were configured. And, if the new password passes the tests, it gets hashed by the server and stored. The other benefit is that there is no risk of ever using a hash algorithm or implementation that the server happens to not support. There are some workarounds one can use while exop is not implemented in luma: select "clear text" in luma and enable ppolicy_hash_cleartext on the server. It's description says (emphasis mine): ppolicy_hash_cleartext Specify that cleartext passwords present in Add and Modify requests should be hashed before being stored in the database. This violates the X.500/LDAP information model, but may be needed to compensate for LDAP clients that don't use the Pass- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ word Modify extended operation to manage passwords. It is rec- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ommended that when this option is used that compare, search, and read access be denied to all directory users. |