--On Tuesday, August 08, 2017 8:46 PM +0200 Michael Ströder michael@stroeder.com wrote:
r0m5 wrote:
- I use "olcPPolicyHashCleartext: TRUE" so the clients send cleartext
passwords and slapd hashes it before writing in database for security reasons (and slapd can perform password quality checks).
There's a nasty issue with this configuration option when using slapo-accesslog:
If the client sends the clear-text 'userPassword' value but the password quality check fails and therefore the modify request fails with constraintViolation the clear-text 'userPassword' value will be written to accesslog DB. In case of successful modification only the hashed 'userPassword' value is written to accesslog DB. :-/
Is there an ITS on this? If not, there should be.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com