On Nov 26, 2021, 5:35 PM -0500, A. Schulze <sca@andreasschulze.de>, wrote:

Hello,

using slapo-ppolicy I could configure slapd to hash a password if it's sent unhashed.

moduleload ppolicy.la
moduleload argon2.la
password-hash {ARGON2}

database mdb
suffix dc=test
...
overlay ppolicy
ppolicy_default "cn=default,ou=ppolicies,dc=test"
ppolicy_hash_cleartext


That work and I could hash them using ARGON2.

But clients could still hash a password them self and write '{MD5}...' as userPassword for example.
Is it possible to reject any userPasswords prefixed with hash schema?

Andreas