OpenLDAP's slapd daemon only hashes passwords that are managed with the "LDAP Password Modify Extended Operation" in which the password arrives to the server in cleartext. Passwords are not changed over the normal LDAP modify operation, they are written verbatim - of course you can't send a SHA hash to the server and expect that it complies with password policy. What do you think, that slapd is able to automagically decrypt your hashes in real-time in order to perform policy checks?
-mike
On Wed, Nov 29, 2017 at 8:08 AM, Raja T Nair rtnair@gmail.com wrote:
Hello All,
I'm using openldap-ltb-2.4.44-2 Using password-hash {SSHA512}
We have an in-house portal which allows people to change their passwords. It is written in PHP.
version = php 5.6 lib = php-ldap $entry['userpassword'] = $newpasswd; ldap_modify($conn, $userdn, $entry);
$newpasswd contains new password in plain text.
It seems that the server does not encrypt the plain text string sent to it from the portal, it only encodes it in base64.
When an encrypted string is sent (SSHA512), the server rejects based on password policy since no special character is present.
We would want to make the first method to work. Can somebody help me with this?
ps: ldappasswd command works perfectly and the password gets encrypted in SSHA512 and encoded in base64.
Best Regards, Raja.
-- :^)