Good morning.
I have been playing with FDS 1.0.2 for some time, and have been
successful in getting the Directory Server to enforce password
policy by toggling the "nsslapd-pwpolicy-local" flag to "on", then
establishing a local policy for my "ou=People" subtree.
This enforcement appears to work only when I change the password
for a user through the Fedora Management Console interface when I'm
logged in as the Directory Manager (cn=Directory Manager).
When I attempt to change the "userPassword" attribute for my test user
via perl's Net::LDAP library using the smbldap-tools scripts
(smbldap-passwd),
smbldap-passwd takes the cleartext of the new password, and hashes it
using SSHA.
This hashed text (ciphertext) is then used to replace the
"userPassword" attribute for the user
in a subsequent LDAP bind operation. This process effectively bypasses
the password
policy defined for the user's subtree.
Is there a way (through Perl or Java) to supply the cleartext to the
server through SSL/TLS,
and have it apply the password policy on the cleartext before the
server hashes the cleartext?
Regards,
Eliot
======================================
Eliot Lebsack
Lead Communications Engineer
The MITRE Corporation Bedford, MA
Show replies by date