r0m5 wrote:
> 1) I use "olcPPolicyHashCleartext: TRUE" so the clients send cleartext 
> passwords and
> slapd hashes it before writing in database for security reasons (and slapd 
> can perform
> password quality checks).

There's a nasty issue with this configuration option when using slapo-accesslog:

If the client sends the clear-text 'userPassword' value but the password 
quality check
fails and therefore the modify request fails with constraintViolation the 
'userPassword' value will be written to accesslog DB. In case of successful 
only the hashed 'userPassword' value is written to accesslog DB. :-/

> But I need exceptions for that. Indeed for some reason I have
> to use EAP-MD5 and EAP-MD5 makes it mandatory to store cleartext passwords in 
> LDAP. So I
> would like to find a way to use "olcPPolicyHashCleartext: TRUE" on some OUs, 
> but not on
> others. Any way to do that ?

AFAIK not feasible within the same database.

BTW: I'd also like to see those slapo-ppolicy parameters along with slapd.conf 
password-hash / password-crypt-salt-format to be read from the 'pwdPolicy' 
entry for
exactly this reason.

> Maybe setting up a second mdb database with a different ppolicy overlay 
> configuration 
> ("olcPPolicyHashCleartext: FALSE") and the same olcSuffix than the existing 
> database ?
> A search on the base DN would then need to cover the two databases.

Yes, slapo-ppolicy config can be different per database.
Also consider setting password-hash / password-crypt-salt-format per database.

> 2) syncrepl of (for example) |pwdChangedTime|. This attribute is not synced 
> to my
> consumers,

Works for me (with LTB builds of OpenLDAP 2.4.45 on Debian Jessie).

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to