Dear openldap-technical users,
my password policies (openldap 2.5.11) are not enforced and Roland Gruber (author of LAM (Pro)) kindly advised me that passwords must be stored in plaintext (Hash=PLAIN) in order to be able to enforce password minimal length, password quality etc (i.e. when using passwd(1) on Linux or an LDAP client on Windows).
Currently we are storing passwords as base64 encoded (::*) Salted SHA1 hashes ("{SSHA}*") (according to slapcat -n 1).
tl;dr: For enforcing password policies, what is the role of "password-hash:PLAIN"(?) and olcPPolicyHashCleartext: TRUE (applied to dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config) and what is the security implication of these changes (we are using starttls on linux / ssl on windows with a self-signed certificate in intranet)?
- Is it (necessary and) enough to switch to "password-hash:PLAIN" to be able to enforce password policies? Does olcPPolicyHashCleartext: TRUE [alone] help as written in this post [1]?
[1] https://www.openldap.org/lists/openldap-technical/201708/msg00024.html
EDIT: I think that olcPPolicyHashCleartext==ppolicy_hash_cleartext (one is OLC, one is trad. config)? -> can we update the documentation [2]?
[2] https://www.openldap.org/doc/admin25/guide.html#Password%20Policies
- I am worried about security when storing/transferring pwds in plain text (we are using starttls on linux / ssl on windows with a self-signed certificate in intranet) [3]. Will "ppolicy_hash_cleartext" [2] help with this?
[3] The manual states "Unfortunately, as dictionary and brute force attacks are generally quite easy for attackers to successfully mount, this advantage is marginal at best (this is why all modern Unix systems use shadow password files)."
Many Thanks and Best Regards, Felix -- Felix Natter