r0m5 wrote:
> 1) I use "olcPPolicyHashCleartext: TRUE" so the clients send cleartext 
> passwords and
> slapd hashes it before writing in database for security reasons (and slapd 
> can perform
> password quality checks).

There's a nasty issue with this configuration option when using slapo-accesslog:

If the client sends the clear-text 'userPassword' value but the password 
quality check
fails and therefore the modify request fails with constraintViolation the 
clear-text
'userPassword' value will be written to accesslog DB. In case of successful 
modification
only the hashed 'userPassword' value is written to accesslog DB. :-/

> But I need exceptions for that. Indeed for some reason I have
> to use EAP-MD5 and EAP-MD5 makes it mandatory to store cleartext passwords in 
> LDAP. So I
> would like to find a way to use "olcPPolicyHashCleartext: TRUE" on some OUs, 
> but not on
> others. Any way to do that ?

AFAIK not feasible within the same database.

BTW: I'd also like to see those slapo-ppolicy parameters along with slapd.conf 
directives
password-hash / password-crypt-salt-format to be read from the 'pwdPolicy' 
entry for
exactly this reason.

> Maybe setting up a second mdb database with a different ppolicy overlay 
> configuration 
> ("olcPPolicyHashCleartext: FALSE") and the same olcSuffix than the existing 
> database ?
> A search on the base DN would then need to cover the two databases.

Yes, slapo-ppolicy config can be different per database.
Also consider setting password-hash / password-crypt-salt-format per database.

> 2) syncrepl of (for example) |pwdChangedTime|. This attribute is not synced 
> to my
> consumers,

Works for me (with LTB builds of OpenLDAP 2.4.45 on Debian Jessie).

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to