[389-users] Enforcement of password policy dependend on presence of {password encryption type}?
Gerrard Geldenhuis
Gerrard.Geldenhuis at betfair.com
Wed Sep 22 17:32:28 UTC 2010
Hi
Problem Statement:
If I have the following ldif executed by Directory Manager:
dn: uid=jsmith,ou=People,dc=mycompany
changetype: modify
replace: userPassword
userPassword: 5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1A7E06dd171
This will get transmitted in clear text (via ssl, if enabled) to the server if done remotely and will be subject to any password policy set.
If however the ldif looks like:
dn: uid=smith,ou=People,dc=mycompany
changetype: modify
replace: userPassword
userPassword: {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt
It is not subject to the password policy and stil gets changed.
doing a ldapsearch will show the following:
# jsmith, People, mycompany
dn: uid=jsmith,ou=People,dc=mycompany
uid: jsmith
cn: John Smith
userPassword:: e1NTSEF9SnZ6ZTNrbk5GMTY1TU10MXZ5TEoyVHVoS205d0hvUnQ=
Questions:
Is the difference in behaviour when using a clear text password as opposed to a {SSHA} password intentional? Granted that it gets executed as Directory Manager.
Is there any way apart from looking at :
dn: cn=config
passwordStorageScheme: ssha
to determine what the encryption will be. Or put differently how can I be sure that the string I am seeing has been properly encrypted according the set standard?
Best Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100922/321b4a01/attachment.html>
More information about the 389-users
mailing list