Re: unhashed#user#password field

Rich Megginson <rmeggins@xxxxxxxxxx> · Fri, 18 May 2012 12:22:50 -0600



    On 05/18/2012 12:13 PM, Alberto Viana wrote:
    I have a 389 DS server replication agreement whith an
      AD Server and when I change the password in the windows side it
      replicates into 389 but via 389 console I can see this field
      "unhashed#user#password" in clear text.
      
        
      How can I encrypt this field? Is it possible?
    
    
    No, but you could use access control to deny access

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html

    
      I tried the following configuration:
      

      Source: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases-Creating_and_Maintaining_Databases.html#Creating_and_Maintaining_Databases-Database_Encryption
      

          dn: cn=unhashed#user#password,cn=encrypted
            attributes,cn=userRoot,cn=ldbm data
          base,cn=plugins,cn=config
          objectClass: top
          objectClass: nsAttributeEncryption
          cn: unhashed#user#password
          nsEncryptionAlgorithm: AES
          

          If
              I restart my server the field is gone.
        
    
    That's only for encrypting the data on disk (e.g. in case someone
    breaks into your system and attempts to read the value from the disk
    file).

    
          The fact is that I need to avoid my admin to see the
            user´s password. 
        
      
      --
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
    
    
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users