Re: [nssldap] Questions about start_tls

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Andrew Findlay <andrew.findlay [at] skills-1st.co.uk>
To: Buchan Milne <bgmilne [at] mandriva.org>
Cc: maillists0 [at] gmail.com, nssldap [at] padl.com
Subject: Re: [nssldap] Questions about start_tls
Date: Wed, 10 Dec 2008 15:13:08 +0000

On Wed, Dec 10, 2008 at 09:08:21AM +0200, Buchan Milne wrote:

> AFAIK, password history can be enforced even with pam_password crypt (or 
> similar),

Unlikely. Remember that most password hash algorithms include random
salt, so the same password can translate to many thousand different
hash strings. There is no way to know whether two strings using
different salt refer to the same password.

As you said above:

> OpenLDAP cant enforce anything if it 
> receives the encrypted password.

It may be wise to set pwdCheckQuality=2 in the password policy to make
sure that passwords are only accepted in clear text.

It would also be wise to write LDAP ACLs such that password changes
are not accepted unless the session is encrypted.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

[nssldap] Questions about start_tls, maillists0
- Re: [nssldap] Questions about start_tls, Buchan Milne
  - Re: [nssldap] Questions about start_tls, Andrew Findlay

Prev by Date: Re: [nssldap] Questions about start_tls
Next by Date: Re: [nssldap] Questions about start_tls
Previous by thread: Re: [nssldap] Questions about start_tls
Next by thread: Re: [nssldap] Questions about start_tls