Dear openldap-technical users,
my password policies (openldap 2.5.11) are not enforced and Roland
Gruber (author of LAM (Pro)) kindly advised me that passwords must be
stored in plaintext (Hash=PLAIN) in order to be able to enforce password
minimal length, password quality etc (i.e. when using passwd(1) on Linux
or an LDAP client on Windows).
Currently we are storing passwords as base64 encoded (::*) Salted SHA1
hashes ("{SSHA}*") (according to slapcat -n 1).
tl;dr: For enforcing password policies, what is the role of
"password-hash:PLAIN"(?) and olcPPolicyHashCleartext: TRUE (applied to
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config) and what is
the security implication of these changes (we are using starttls on
linux / ssl on windows with a self-signed certificate in intranet)?
- Is it (necessary and) enough to switch to "password-hash:PLAIN" to be
able to enforce password policies? Does olcPPolicyHashCleartext: TRUE
[alone] help as written in this post [1]?
[1]
https://www.openldap.org/lists/openldap-technical/201708/msg00024.html
EDIT: I think that olcPPolicyHashCleartext==ppolicy_hash_cleartext
(one is OLC, one is trad. config)? -> can we update the documentation [2]?
[2]
https://www.openldap.org/doc/admin25/guide.html#Password%20Policies
- I am worried about security when storing/transferring pwds in
plain text (we are using starttls on linux / ssl on windows with a
self-signed certificate in intranet) [3]. Will
"ppolicy_hash_cleartext" [2] help with this?
[3] The manual states "Unfortunately, as dictionary and brute force
attacks are generally quite easy for attackers to successfully mount,
this advantage is marginal at best (this is why all modern Unix systems
use shadow password files)."
Many Thanks and Best Regards,
Felix
--
Felix Natter