3 Sep
2015
3 Sep
'15
11:01 a.m.
On Thu, Sep 03, 2015 at 10:54:03AM -0700, Chuck Theobald wrote:
I am finding it impossible to set user passwords to the form {SASL}name@ad.domain.my
ldapmodify can delete userPassword, and can add it again but ends of setting it to a hash despite trying password-hash {CLEARTEXT} and password-hash {SASL} in slapd.conf. And no, I am not using slapd.d.
What sort of hash is it getting set to, when you do that? Are you aware that ldapsearch/slapcat always output userPassword in base64 format (which is different from a hash)?
Are you using the ppolicy overlay? A userPassword attribute set with ldapmodify (not ldappasswd) should be unmolested in general, unless you have ppolicy_hash_cleartext enabled (by default, it is not).