r0m5 wrote: > 1) I use "olcPPolicyHashCleartext: TRUE" so the clients send cleartext > passwords and > slapd hashes it before writing in database for security reasons (and slapd > can perform > password quality checks).
There's a nasty issue with this configuration option when using slapo-accesslog: If the client sends the clear-text 'userPassword' value but the password quality check fails and therefore the modify request fails with constraintViolation the clear-text 'userPassword' value will be written to accesslog DB. In case of successful modification only the hashed 'userPassword' value is written to accesslog DB. :-/ > But I need exceptions for that. Indeed for some reason I have > to use EAP-MD5 and EAP-MD5 makes it mandatory to store cleartext passwords in > LDAP. So I > would like to find a way to use "olcPPolicyHashCleartext: TRUE" on some OUs, > but not on > others. Any way to do that ? AFAIK not feasible within the same database. BTW: I'd also like to see those slapo-ppolicy parameters along with slapd.conf directives password-hash / password-crypt-salt-format to be read from the 'pwdPolicy' entry for exactly this reason. > Maybe setting up a second mdb database with a different ppolicy overlay > configuration > ("olcPPolicyHashCleartext: FALSE") and the same olcSuffix than the existing > database ? > A search on the base DN would then need to cover the two databases. Yes, slapo-ppolicy config can be different per database. Also consider setting password-hash / password-crypt-salt-format per database. > 2) syncrepl of (for example) |pwdChangedTime|. This attribute is not synced > to my > consumers, Works for me (with LTB builds of OpenLDAP 2.4.45 on Debian Jessie). Ciao, Michael.
Description: S/MIME Cryptographic Signature