> Now, am I right in thinking that I can use "clear" as long as I'm using > SSL to the LDAP server? Yes, sending un-hashed passwords over SSL is very safe. > What about setting local non-LDAP passwords with this set to "clear" > isn't that dangerous? No worries about this, pam_ldap password settings don't affect passwords stored locally in /etc/passwd. Your /etc/pam.d/system-auth password stack for Linux LDAP clients probably looks something like the below: password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so When setting local passwords, the stack will never even invoke pam_ldap, since the pam_unix line is "sufficient". ----- Original Message ----- From: "Philip Kime" <pkime at Shopzilla.com> To: <fedora-directory-users at redhat.com> Sent: Saturday, November 18, 2006 9:11 PM Subject: Re: password policy on FDS 1.0.2 - doesn't seem to work? I think have have an idea about this now ... the problem seems to be the exop password modify request. Subtree and user policies are ignored from ldappasswd (which uses exop) PAM (when pam_password is set to "exop" in /etc/ldap.conf) But are ok from Ldapmodify PAM (when pam_password is set to "clear" in /etc/ldap.conf) So, the RFC 3062 password modification requests seem to bypass the subtree and user policies. I see this behaviour in 1.0.2 and 1.0.4. Now, am I right in thinking that I can use "clear" as long as I'm using SSL to the LDAP server? What about setting local non-LDAP passwords with this set to "clear" isn't that dangerous? I can't use "ssha" for pam_password as then password changes don't seem to work at all, which is why I changed to "exop". PK -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
