Re: [389-users] Enforcement of password policy dependend on presence of {password encryption type}?
On 9/22/2010 10:32 AM, Gerrard Geldenhuis wrote:
Hi
Problem Statement:
If I have the following ldif executed by Directory Manager:
dn: uid=jsmith,ou=People,dc=mycompany
changetype: modify
replace: userPassword
userPassword: 5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1A7E06dd171
This will get transmitted in clear text (via ssl, if enabled) to the
server if done remotely and will be subject to any password policy set.
If however the ldif looks like:
dn: uid=smith,ou=People,dc=mycompany
changetype: modify
replace: userPassword
userPassword: {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt
It is not subject to the password policy and stil gets changed.
[snip]
Questions:
Is the difference in behaviour when using a clear text password as
opposed to a {SSHA} password intentional? Granted that it gets
executed as Directory Manager.
I would think that the difference is not only intentional, but
absolutely necessary. SSHA is a *hash*; it is not the password.
There's no way to convert that hash back to a password to determine if
the original data complied with security policies.
Attachments:
- attachment.html (text/html — 4.0 KB)