Michael Ströder wrote:
Emily Backes wrote:
It's sounding like the newer and more complicated hashes have a lot of configurable features that may need site-local tuning. Should these be part of e.g. slapd.conf config or be settings embedded in the value format for later clarity, like
{HASHNAME:attr=val,attr=val,attr=val}SnVzdCBhbiBleGFtcGxlLCBzaWxseQ==
Somewhat both.
Like in the past the password-hash should allow to set the current local security policy for setting new passwords but old password values should still be valid for authentication.
This also reminds me of this old RFE:
http://www.openldap.org/its/index.cgi?findid=7981
It might be interesting to extend the ITS to also specify the set of password schemes still accepted when processing password validation. Well, this could maybe also be done with value ACLs but...
Ciao, Michael.