Gerrard Geldenhuis wrote:
Hi
Problem Statement:
If I have the following ldif executed by Directory Manager:
dn: uid=jsmith,ou=People,dc=mycompany
changetype: modify
replace: userPassword
userPassword: 5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1A7E06dd171
This will get transmitted in clear text (via ssl, if enabled) to the
server if done remotely and will be subject to any password policy set.
If however the ldif looks like:
dn: uid=smith,ou=People,dc=mycompany
changetype: modify
replace: userPassword
userPassword: {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt
It is not subject to the password policy and stil gets changed.
doing a ldapsearch will show the following:
# jsmith, People, mycompany
dn: uid=jsmith,ou=People,dc=mycompany
uid: jsmith
cn: John Smith
userPassword:: e1NTSEF9SnZ6ZTNrbk5GMTY1TU10MXZ5TEoyVHVoS205d0hvUnQ=
Questions:
Is the difference in behaviour when using a clear text password as
opposed to a {SSHA} password intentional?
Yes.
Granted that it gets executed as Directory Manager.
And that is why it goes through. Because you are using Directory
Manager, the directory server "assumes you know what you are doing".
Is there any way apart from looking at :
dn: cn=config
passwordStorageScheme: ssha
to determine what the encryption will be. Or put differently how can I
be sure that the string I am seeing has been properly encrypted
according the set standard?
Only set userPassword using clear text. That way you never have to
worry about whether or not it has been properly encrypted. Never send a
pre-encrypted password to the server. Using pre-encrypted passwords
will break things like windows sync, kerberos, sasl/digest-md5 -
anything that must have the clear text password.
Best Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
------------------------------------------------------------------------
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users