Enforcement of password policy dependend on presence of {password encryption type}?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Gerrard Geldenhuis wrote:
>
> Hi
>
> Problem Statement:
>
> If I have the following ldif executed by Directory Manager:
>
> dn: uid=jsmith,ou=People,dc=mycompany
>
> changetype: modify
>
> replace: userPassword
>
> userPassword: 5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1A7E06dd171
>
>  
>
> This will get transmitted in clear text (via ssl, if enabled) to the 
> server if done remotely and will be subject to any password policy set.
>
>  
>
> If however the ldif looks like:
>
> dn: uid=smith,ou=People,dc=mycompany
>
> changetype: modify
>
> replace: userPassword
>
> userPassword: {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt
>
>  
>
> It is not subject to the password policy and stil gets changed.
>
>  
>
> doing a ldapsearch will show the following:
>
> # jsmith, People, mycompany
>
> dn: uid=jsmith,ou=People,dc=mycompany
>
> uid: jsmith
>
> cn: John Smith
>
> userPassword:: e1NTSEF9SnZ6ZTNrbk5GMTY1TU10MXZ5TEoyVHVoS205d0hvUnQ=
>
>  
>
> Questions:
>
> Is the difference in behaviour when using a clear text password as 
> opposed to a {SSHA} password intentional?
>
Yes.
>
> Granted that it gets executed as Directory Manager.
>
And that is why it goes through.  Because you are using Directory 
Manager, the directory server "assumes you know what you are doing".
>
>  
>
> Is there any way apart from looking at :
>
> dn: cn=config
>
> passwordStorageScheme: ssha
>
>  
>
> to determine what the encryption will be. Or put differently how can I 
> be sure that the string I am seeing has been properly encrypted 
> according the set standard?
>
Only set userPassword using clear text.  That way you never have to 
worry about whether or not it has been properly encrypted.  Never send a 
pre-encrypted password to the server.  Using pre-encrypted passwords 
will break things like windows sync, kerberos, sasl/digest-md5 - 
anything that must have the clear text password.
>
>  
>
> Best Regards
>
>
> ________________________________________________________________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> ________________________________________________________________________
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux