Hi list, as I don't know if this behavior comes from my slapd itself, I'm not giving too much details on it. Here is what's happening: in slapd.conf I have: 'password-hash {SSHA}' so I'm expecting that each password attribute change results in a new SSHA hashed password. Our users can change their password on several ways which all result in different stored password'hashes (cleartext (!), SHA, but not SSHA). Does the hashing type is specified on the client's side and not enforced by the directory? Can someone give me some pointers for doc explaining how password's change mechanism works in openldap?
kfx
At 12:30 AM 12/8/2006, kadafax wrote:
Hi list, as I don't know if this behavior comes from my slapd itself, I'm not giving too much details on it. Here is what's happening: in slapd.conf I have: 'password-hash {SSHA}' so I'm expecting that each password attribute change results in a new SSHA hashed password.
You need to adjust your expectation. slapd.conf(5) says: This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062). ... Note that this option does not alter the normal user applications handling of userPassword during LDAP Add, Modify, or other LDAP operations.
The behavior you see is most likely due to one client using the LDAP Password Modify Extended Operation and one client using LDAP Modify to change a userPassword.
- Kurt
openldap-software@openldap.org
-
kadafax -
Kurt D. Zeilenga