On 05/01/14 21:36 -0400, Michael wrote:
I have a user with a SSHA userPassword value as well as a SASL userPassword entry. The SASL entry will never change but I'd like to be able to reset and age the SSHA entry only. Is this aging of only one value possible with ppolicy and is it possible to handle manual resets with ldappasswd and/or utilizing an LDIF file?
By SASL userPassword entry, do you mean a cleartext value, or a {SASL}user@domain.com pass-through entry? I'll assume cleartext.
Try setting olcPasswordHash to {SSHA} only. slapd may (or may not) leave the cleartext userPassword entry alone. I haven't used that case.
A more straight forward approach would be to store your sasl authentication material in another sasl auxprop plugin (sasldb or sql) and set olcSaslAuxprops appropriately.