Discussion:
ppolicy_hash_cleartext "recommendation" ?
Jesús Couto
2010-04-13 11:45:18 UTC
Permalink
Hi all.

I've set up an openLDAP directory with the password policy overlay and the
ppolicy_hash_cleartext option to ensure cleartext passwords get hashed (as
my client request).

But the slapo-ppolicy man page clearly states:

"It is recommended that when this option is used that compare, search, and
read access be denied to all directory users."

Its this warning about the userPassword attribute only? That is, more or
less, the standard configuration, not even the user can read his password,
only write. Or this warning applies to all the directory (bit too much?)

Any reason for this warning in particular here? I mean, not letting anybody
but the rootdn see the userPassword attribute is a good idea anyway, any
particular reason why enabling ppolicy_hash_cleartext makes its extra-good?

Best regards,

------------------------------

Jesús Couto F.

Loading...