23 Oct
2008
23 Oct
'08
6:58 a.m.
NUNIN Roberto wrote:
To avoid this behavior, I've added the instruction:
pam_crypt local
in /etc/openldap/ldap.conf
This enables client-side hashing but only for components using pam_ldap.
Please note: Even if the values of userPassword are hashed you should have appropriate access control in place. Otherwise an attacker can conduct off-line dictionary attacks.
Before just doing arbitrary configuration modifications you should learn which options you have and which implications there are:
http://www.openldap.org/faq/data/cache/419.html
Ciao, Michael.