[389-users] Enforcement of password policy dependend on presence of {password encryption type}?
Morris, Patrick
patrick.morris at hp.com
Wed Sep 22 17:56:39 UTC 2010
On 9/22/2010 10:32 AM, Gerrard Geldenhuis wrote:
>
> Hi
>
> Problem Statement:
>
> If I have the following ldif executed by Directory Manager:
>
> dn: uid=jsmith,ou=People,dc=mycompany
>
> changetype: modify
>
> replace: userPassword
>
> userPassword: 5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1A7E06dd171
>
> This will get transmitted in clear text (via ssl, if enabled) to the
> server if done remotely and will be subject to any password policy set.
>
> If however the ldif looks like:
>
> dn: uid=smith,ou=People,dc=mycompany
>
> changetype: modify
>
> replace: userPassword
>
> userPassword: {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt
>
> It is not subject to the password policy and stil gets changed.
>
> [snip]
Questions:
>
> Is the difference in behaviour when using a clear text password as
> opposed to a {SSHA} password intentional? Granted that it gets
> executed as Directory Manager.
>
I would think that the difference is not only intentional, but
absolutely necessary. SSHA is a *hash*; it is not the password.
There's no way to convert that hash back to a password to determine if
the original data complied with security policies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100922/4d36eba1/attachment.html>
More information about the 389-users
mailing list