--On Tuesday, August 08, 2017 8:46 PM +0200 Michael Ströder <mich...@stroeder.com> wrote:

r0m5 wrote:
1) I use "olcPPolicyHashCleartext: TRUE" so the clients send cleartext
passwords and slapd hashes it before writing in database for security
reasons (and slapd can perform password quality checks).


There's a nasty issue with this configuration option when using
slapo-accesslog:

If the client sends the clear-text 'userPassword' value but the password
quality check fails and therefore the modify request fails with
constraintViolation the clear-text 'userPassword' value will be written
to accesslog DB. In case of successful modification only the hashed
'userPassword' value is written to accesslog DB. :-/

Is there an ITS on this?  If not, there should be.

--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>


Reply via email to