Good
morning.
I have been playing
with FDS 1.0.2 for some time, and have been
successful in
getting the Directory Server to enforce password
policy by toggling
the "nsslapd-pwpolicy-local" flag to "on", then
establishing a local
policy for my "ou=People" subtree.
This enforcement
appears to work only when I change the password
for a user through
the Fedora Management Console interface when I'm
logged in as the
Directory Manager (cn=Directory Manager).
When I attempt to
change the "userPassword" attribute for my test user
via perl's Net::LDAP
library using the smbldap-tools scripts (smbldap-passwd),
smbldap-passwd takes
the cleartext of the new password, and hashes it using SSHA.
This hashed text
(ciphertext) is then used to replace the "userPassword" attribute for
the user
in a subsequent LDAP
bind operation. This process effectively bypasses the password
policy defined for
the user's subtree.
Is there a way
(through Perl or Java) to supply the cleartext to the server through
SSL/TLS,
and have it apply
the password policy on the cleartext before the server hashes the
cleartext?
Regards,
Eliot
======================================
Eliot
Lebsack
Lead Communications Engineer
The MITRE Corporation Bedford, MA