Hi All,
I have an FDS and 389 instance set up with a number of users, and password policy requiring minimum password length, some numbers, and some other characters.
This all works well for mandating secure passwords. However, whenever users authenticate via LDAP the server appears to check only the first 8 characters of their passwords. For example if a user has a password of "foobar1234!" they can still login with "foobar12" or "foobar12bazbaz" I've tested this with unix client logins (via PAM) and directly via the ldapsearch command. Both exhibit the same behavior.
Goo diligence hasn't really turned up anything, though it could be I'm missing the obvious. Has anyone run into this problem before? Is this possibly an issue with they way i'm storing passwords?
-Aaron
Aaron Mills wrote:
Hi All,
I have an FDS and 389 instance set up with a number of users, and password policy requiring minimum password length, some numbers, and some other characters.
This all works well for mandating secure passwords. However, whenever users authenticate via LDAP the server appears to check only the first 8 characters of their passwords. For example if a user has a password of "foobar1234!" they can still login with "foobar12" or "foobar12bazbaz" I've tested this with unix client logins (via PAM) and directly via the ldapsearch command. Both exhibit the same behavior.
Goo diligence hasn't really turned up anything, though it could be I'm missing the obvious. Has anyone run into this problem before? Is this possibly an issue with they way i'm storing passwords?
How are you storing passwords?
What platform? What version of 389-ds-base?
-Aaron
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Aaron Mills skrifaði:
However, whenever users authenticate via LDAP the server appears to check only the first 8 characters of their passwords.
You're probably using the CRYPT password method. Other, newer and safer methods, such as SSHA, can store much longer passwords.
389-users@lists.fedoraproject.org