Re: [nssldap] Questions about start_tls

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: maillists0 [at] gmail.com
To: "Buchan Milne" <bgmilne [at] mandriva.org>, nssldap [at] padl.com
Subject: Re: [nssldap] Questions about start_tls
Date: Wed, 10 Dec 2008 14:28:25 -0500

On Wed, Dec 10, 2008 at 10:13 AM, Andrew Findlay <andrew.findlay [at] skills-1st.co.uk> wrote:

As you said above:

> OpenLDAP cant enforce anything if it
> receives the encrypted password.

It may be wise to set pwdCheckQuality=2 in the password policy to make
sure that passwords are only accepted in clear text.

It would also be wise to write LDAP ACLs such that password changes
are not accepted unless the session is encrypted.

Andrew
--

Thanks to both of you for the responses. Changing pam_password from md5 (which was inserted by Redhat's authconfig) to exop fixed the password policy issues. Also, setting pwdCheckQuality=2 was helpful in troubleshooting.

I still see in the debug output that the old password is being sent in cleartext when I change it. To be sure I understand correctly, Buchan: this is normal and necessary for ppolicy to check against the history?

Andrew, do you know of a handy example of an acl that enforces encryption on passwd changes?

Thanks again.

[nssldap] Questions about start_tls, maillists0
- Re: [nssldap] Questions about start_tls, Buchan Milne
  - Re: [nssldap] Questions about start_tls, Andrew Findlay
    - Re: [nssldap] Questions about start_tls, maillists0
    - Message not available
      - Re: [nssldap] Questions about start_tls, Andrew Findlay
        
        Re: [nssldap] Questions about start_tls, maillists0
        
        Re: [nssldap] Questions about start_tls, Andrew Findlay

Prev by Date: Re: [nssldap] Questions about start_tls
Next by Date: Re: [nssldap] Questions about start_tls
Previous by thread: Re: [nssldap] Questions about start_tls
Next by thread: RE: [nssldap] Questions about start_tls