--On Tuesday, August 08, 2017 8:46 PM +0200 Michael Ströder
1) I use "olcPPolicyHashCleartext: TRUE" so the clients send cleartext
passwords and slapd hashes it before writing in database for security
reasons (and slapd can perform password quality checks).
There's a nasty issue with this configuration option when using
If the client sends the clear-text 'userPassword' value but the password
quality check fails and therefore the modify request fails with
constraintViolation the clear-text 'userPassword' value will be written
to accesslog DB. In case of successful modification only the hashed
'userPassword' value is written to accesslog DB. :-/
Is there an ITS on this? If not, there should be.
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: