Re: [389-users] Enforcement of password policy dependend on presence of {password encryption type}?

"Morris, Patrick" <patrick.morris@xxxxxx> · Wed, 22 Sep 2010 10:56:39 -0700



    On 9/22/2010 10:32 AM, Gerrard Geldenhuis wrote:
    
      
        Hi
        Problem Statement:
        If I have the following ldif executed by
          Directory Manager:
        dn: uid=jsmith,ou=People,dc=mycompany
        changetype: modify
        replace: userPassword
        userPassword:
          5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1A7E06dd171
         
        This will get transmitted in clear text
          (via ssl, if enabled)
          to the server if done remotely and will be subject to any
          password policy set.
         
        If however the ldif looks like:
        dn: uid=smith,ou=People,dc=mycompany
        changetype: modify
        replace: userPassword
        userPassword:
          {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt
         
        It is not subject to the password policy
          and stil gets
          changed.
      
    
      [snip]
    
    Questions:
    
      
        Is the difference in behaviour when using a
          clear text
          password as opposed to a {SSHA} password intentional? Granted
          that it gets
          executed as Directory Manager.

        
    I would think that the difference is not only intentional, but
    absolutely necessary.  SSHA is a *hash*; it is not the password. 
    There's no way to convert that hash back to a password to determine
    if the original data complied with security policies.

    
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users