RE: [nssldap] Questions about start_tls

["Chapman, Kyle" <Kyle_Chapman [at] G1.com>]

From: owner-nssldap@padl.com [mailto:owner-nssldap@padl.com] On Behalf Of maillists0@gmail.com
Sent: Wednesday, December 10, 2008 2:28 PM
To: Buchan Milne; nssldap@padl.com
Subject: Re: [nssldap] Questions about start_tls

On Wed, Dec 10, 2008 at 10:13 AM, Andrew Findlay <andrew.findlay@skills-1st.co.uk> wrote:

As you said above:

> OpenLDAP cant enforce anything if it
> receives the encrypted password.

It may be wise to set pwdCheckQuality=2 in the password policy to make
sure that passwords are only accepted in clear text.

It would also be wise to write LDAP ACLs such that password changes
are not accepted unless the session is encrypted.

Andrew
--

Thanks to both of you for the responses. Changing pam_password from md5 (which was inserted by Redhat's authconfig) to exop fixed the password policy issues.  Also, setting pwdCheckQuality=2 was helpful in troubleshooting.

I still see in the debug output that the old password is being sent in cleartext when I change it. To be sure I understand correctly, Buchan: this is normal and necessary for ppolicy to check against the history?

Andrew, do you know of a handy example of an acl that enforces encryption on passwd changes?

Thanks again. 

 

 

http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20Examples

another way, in slapd.conf

security ssf=1 update_ssf=112

 

NOTICE: This E-mail may contain confidential information. If you are not
the addressee or the intended recipient please do not read this E-mail
and please immediately delete this e-mail message and any attachments
from your workstation or network mail system. If you are the addressee
or the intended recipient and you save or print a copy of this E-mail,
please place it in an appropriate file, depending on whether
confidential information is contained in the message.