Hi community,

We want implement password politics in our DIT, and are testing ppolicy and found issues using olcPasswordHash, Password Modify Extension and so. Here are my testings:

1) My cn=config with olcPasswordHash and olcSuffix values

$ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b "cn=config" olcPasswordHash olcSuffix
dn: cn=config
olcPasswordHash: {SSHA}
...
# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
olcPasswordHash: {SSHA}
olcPasswordHash: {SHA}
olcPasswordHash: {SMD5}
olcPasswordHash: {MD5}
olcPasswordHash: {CRYPT}
...
# {2}hdb, config
dn: olcDatabase={2}hdb,cn=config
olcSuffix: dc=ktu,dc=lt

$

2) My testing user exists without userPassword attribute

$ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b "eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt" userPassword
Enter LDAP Password:
dn: eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt

$

3) Making a password for a test user. As documentation says "ldappasswd uses the LDAPv3 Password Modify (RFC 3062) extended operation."

$ ldappasswd -h localhost -D "cn=admin,dc=ktu,dc=lt" -x -W -S "eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt"
New password:
Re-enter new password:
Enter LDAP Password:
$

4) userPassword is somehow gets multivalued

$ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b "eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt" userPassword
Enter LDAP Password:
# testuser9@ktu.lt, People, Users, ktu.lt
dn: eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt
userPassword:: e1NTSEF9RlE3VjRYa003RVJ6eGFTNjR4ZkFRSzRGZEk4cFk0UDQ=    --> {SSHA}FQ7V4XkM7ERzxaS64xfAQK4FdI8pY4P4
userPassword:: e1NTSEF9K1JtbWl3M0RxTTV3aEl0U3g5TjVrZWRETlpES3NROUg=    --> {SSHA}+Rmmiw3DqM5whItSx9N5kedDNZDKsQ9H
userPassword:: e1NIQX1maVFONTAreDdRajZDTk9BWS9hbXFSUmlxQlU9        --> {SHA}fiQN50+x7Qj6CNOAY/amqRRiqBU=
userPassword:: e1NNRDV9VUdaa3ZDSWI5Qld4a1VNcUhyZEl3ZElTbnJ3PQ==        --> {SMD5}UGZkvCIb9BWxkUMqHrdIwdISnrw=
userPassword:: e01ENX1SN3pseDA5WW4waG4yOVYrbktuNENBPT0=            --> {MD5}R7zlx09Yn0hn29V+nKn4CA==
userPassword:: e0NSWVBUfTFNZVAud1ZxenEvdWM=                --> {CRYPT}1MeP.wVqzq/uc

$

I guess "frontend" database has so called global olcPasswordHash directive in effect over all databases. I also guess, that 1 SSHA form comes from cn=config, and other 5 forms comes from "frontend". Does anyone know if this is true?

5) if above is true, overwriting globals in local database config seems like a solution to me, but ...

$ ldapmodify -D "cn=admin,dc=ktu,dc=lt" -W -x <<EOF
> dn: olcDatabase={2}hdb,cn=config
> changetype: modify
> add: olcPasswordHash
> olcPasswordHash: {SSHA}
> EOF
Enter LDAP Password:
modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: Object class violation (65)
        additional info: attribute 'olcPasswordHash' not allowed

$

Is it possible to get rid of not secure forms of password schemes? I always believed, that password-hash (olcPasswordHash) should help to do that. Maybe I don't know something? I also think, that it could be related to ITS#7625, why ppolicy shows "Additional info: Password policy only allows one password value" error message. Please, help to clear things out.

System: Debian 7.0 (wheezy)
OpenLDAP: 2.4.31 (from package)

Thank you.

-- 
Pagarbiai,
Nerijus Kislauskas
KTU ITD, Litnet valdymo centras
Studentu g. 48a - 101, Kaunas
tel.: (8~37) 30 06 45
mob. tel.: 8-614-93889
e-mail.: nerijus.kislauskas@ktu.lt