2012/6/20 Patrick Hemmer <openldap(a)stormcloud9.net>:
Sent: Wed Jun 20 2012 04:36:03 GMT-0400 (EDT)
From: Clément OUDOT <clem.oudot(a)gmail.com>
To: Francesco Belli <Francesco.Belli(a)vegaspace.com>
Subject: Re: PAM authentication and PPolicy issues
2012/6/20 Francesco Belli <Francesco.Belli(a)vegaspace.com>:
I already used pam_password directive, I set it to cleartext, but this
parameter is used for password change and not for authentication. As man
pam_ldap says "Specifies the password change protocol to use", so not the
authentication method. Now my situation is that I have some users in the
LDAP server that they have a SHA hash in the userPassword field, and they
are correctly authenticated, others that have a clear text password and
cannot be authenticated via PAM.
Password scheme used in LDAP directory do not prevent any application
to authenticate to LDAP. Dig into logs to see what is the real reason
of your problem.
In addition, it is not true that the password must be stored in cleartext
for pwdCheckQuality and pwdInHistory to work. Storing passwords in cleartext
They can be stored hashed, but they must be sent as clear text in the
modification operation so that OpenLDAP can check the quality (min
size for example). The ppolicy overlay is then able to hash them when
storing accepted password in database.