Re: [389-users] Enforcement of password policy dependend on presence of {password encryption type}?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Gerrard Geldenhuis wrote:
>
> Hi
>
> Problem Statement:
>
> If I have the following ldif executed by Directory Manager:
>
> dn: uid=jsmith,ou=People,dc=mycompany
>
> changetype: modify
>
> replace: userPassword
>
> userPassword: 5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1A7E06dd171
>
>  
>
> This will get transmitted in clear text (via ssl, if enabled) to the 
> server if done remotely and will be subject to any password policy set.
>
>  
>
> If however the ldif looks like:
>
> dn: uid=smith,ou=People,dc=mycompany
>
> changetype: modify
>
> replace: userPassword
>
> userPassword: {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt
>
>  
>
> It is not subject to the password policy and stil gets changed.
>
>  
>
> doing a ldapsearch will show the following:
>
> # jsmith, People, mycompany
>
> dn: uid=jsmith,ou=People,dc=mycompany
>
> uid: jsmith
>
> cn: John Smith
>
> userPassword:: e1NTSEF9SnZ6ZTNrbk5GMTY1TU10MXZ5TEoyVHVoS205d0hvUnQ=
>
>  
>
> Questions:
>
> Is the difference in behaviour when using a clear text password as 
> opposed to a {SSHA} password intentional?
>
Yes.
>
> Granted that it gets executed as Directory Manager.
>
And that is why it goes through.  Because you are using Directory 
Manager, the directory server "assumes you know what you are doing".
>
>  
>
> Is there any way apart from looking at :
>
> dn: cn=config
>
> passwordStorageScheme: ssha
>
>  
>
> to determine what the encryption will be. Or put differently how can I 
> be sure that the string I am seeing has been properly encrypted 
> according the set standard?
>
Only set userPassword using clear text.  That way you never have to 
worry about whether or not it has been properly encrypted.  Never send a 
pre-encrypted password to the server.  Using pre-encrypted passwords 
will break things like windows sync, kerberos, sasl/digest-md5 - 
anything that must have the clear text password.
>
>  
>
> Best Regards
>
>
> ________________________________________________________________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> ________________________________________________________________________
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux