--On Tuesday, March 19, 2019 12:43 PM -0400 Bob Hund bob.hund.29686@gmail.com wrote:
My gut feeling is that I should reset the hashes and discard the cleartext to prevent misuse of these credentials. Is there any reason not to do this?
You have a few options:
a) Use slappasswd to generate a hash of the password rather than using a cleartext value. b) Do something like debian & redhat do, and use SASL/EXTERNAL plus a regexp map for the local "root" user to be able to be the rootdn, and have no password value set c) Or just delete it entirely. I'd suggest (a) or (b) instead, in case you ever needed elevated privileges that are not subject to ACLs.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com