Craig and Quanah, Thank you so much for you valuable inputs. I'll change the default scheme to SSHA and also work with the web developers and check how the application is creating/updating the LDAP password. This helps a lot. I'll keep updated. Thanks again!
Jeevan
From: CWhite@skytouchtechnology.com To: quanah@zimbra.com; jeev_biz@hotmail.com; openldap-technical@openldap.org Subject: RE: Openldap password problems Date: Thu, 14 May 2015 22:01:59 +0000
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Thursday, May 14, 2015 2:59 PM To: Craig White; jeevan kc; openldap-technical@openldap.org Subject: RE: Openldap password problems
--On Thursday, May 14, 2015 10:53 PM +0000 Craig White CWhite@skytouchtechnology.com wrote:
No
I disagree. Setting the default to {CRYPT} is a security nightmare, regardless of what the application is doing. If the application is (correctly) using an ldapv3 password modify op, it'll get set to CRYPT on the openldap server due to their (broken) configuration.
Better solution is to ensure the openldap default is sane, and to also verify the web application is sane.
Yes, sorry - don't mean to disagree with your thinking. I gathered he thought he could just change the terms from crypt to sha or ssha and that OpenLDAP would take care of it automatically.
Yes, crypt is ancient and easily defeated I gather (never tried myself). Yes, changing the default scheme is good but we don't know how he is creating users/passwords.
Craig