Antw: [EXT] warning in SLAPO_PPOLICY(5) regarding ppolicy_hash_cleartext
>> Christopher Paul <chris.paul(a)rexconsulting.net> schrieb
am 22.03.2021 um 18:49
in Nachricht
<a3f5ac1d-d821-933d-0537-f0d50c8ff6b8(a)rexconsulting.net>:
Hello,
I read the warning in SLAPO_PPOLICY(5) regarding ppolicy_hash_cleartext:
"It is recommended that when this option is used that compare, search,
and read access be denied to all directory users".
Am I correct to presume that this means that the compare, search, read
access be denied for directory users' _own_ (self) userPassword attrs,
right?
Because compare, search, read access to _other_ users' userPassword is
rightfully denied typically by any sensible access control ruleset. (Right?)
And if this document does mean to say that compare, search, and read
access should be denied for directory users' _own_ (self) userPassword
attrs, can someone please explain why, if users can read their
userPassword, it would be worse for it to be encrypted than plain text?
Obviously if you come to some user's terminal that isn't locked, you cannot find
outthe user's password normally (nor can you change it), but when readoing the
cleartext password you could.
Many thanks,
Chris Paul
Rex Consulting, Inc
email: chris.paul(a)rexconsulting.net
web: http://www.rexconsulting.net <http://www.rexconsulting.net>
phone, toll-free: +1 (888) 403-8996 ext 1