Hi

Problem Statement:

If I have the following ldif executed by Directory Manager:

dn: uid=jsmith,ou=People,dc=mycompany

changetype: modify

replace: userPassword

userPassword: 5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1A7E06dd171

 

This will get transmitted in clear text (via ssl, if enabled) to the server if done remotely and will be subject to any password policy set.

 

If however the ldif looks like:

dn: uid=smith,ou=People,dc=mycompany

changetype: modify

replace: userPassword

userPassword: {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt

 

It is not subject to the password policy and stil gets changed.

 

doing a ldapsearch will show the following:

# jsmith, People, mycompany

dn: uid=jsmith,ou=People,dc=mycompany

uid: jsmith

cn: John Smith

userPassword:: e1NTSEF9SnZ6ZTNrbk5GMTY1TU10MXZ5TEoyVHVoS205d0hvUnQ=

 

Questions:

Is the difference in behaviour when using a clear text password as opposed to a {SSHA} password intentional? Granted that it gets executed as Directory Manager.

 

Is there any way apart from looking at :

dn: cn=config

passwordStorageScheme: ssha

 

to determine what the encryption will be. Or put differently how can I be sure that the string I am seeing has been properly encrypted according the set standard?

 

Best Regards


________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________