1

My current problem is that i cannot stop OpenLDAP to store passwords as plaintext. In an older openLDAP version , i entered following configuration in the slapd.conf

ppolicy_hash_cleartext
password-hash {SSHA} {SHA}

So once a password was sent from my application as plaintext, the ldap was encrypting it and storing it encrypted.

Unfortunately i was not able to configure OpenLDAP 2.4.40. I found out that the slapd.conf does not exist anymore in the newer version and instead the configuration is taking place in the cn=config.ldif file.

I tried to add again the same configuration there but it seems that it has no effect.

EDIT : I added with ldapmodify the olcPasswordHash: {SSHA} entry in olcBackend={0}mdb.ldif , olcDatabase={1}mdb.ldif , olcDatabase={0}config.ldif and cn=config.ldif , still my passwords that are sent as plaintext are stored as plaintext.

Stephan
  • 696
  • 15
  • 37
  • You 'tried to add the same configuration there' how? Works for me. – user207421 Mar 28 '17 at 23:34
  • What do you mean it works for you ? Could you describe how you enabled this option ? – Stephan Mar 29 '17 at 12:17
  • Changing the configuration will only affect passwords that are modified from that point forward. It doesn't affect existing passwords. 'Works for me' doesn't seem obscure to me. – user207421 Mar 29 '17 at 12:17
  • I am not interested in existing passwords. In my case it does not encrypt passwords of newly created entries. – Stephan Mar 29 '17 at 12:35

1 Answers1

2

Took some time, but figured out finally.

Load schema describing ppolicy attributes.

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif

Create a ppolicy_module.ldif with the following content and make sure that the ppolicy.la is located under the defined olcModulePath. Store the file under /etc/ldap

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: ppolicy.la
olcModulePath: /usr/lib/ldap

Add the ppolicy_module.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy_module.ldif

Create a ppolicy-overlay.ldif file with the following content. Make sure of the olcDatabase number . In this case it is olcDatabase={1}mdb . Store the file under /etc/ldap

dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=ppolicy,ou=policies,dc=example,dc=com
olcPPolicyUseLockout: FALSE
olcPPolicyHashCleartext: TRUE

Add LDIF file.

ldapadd -Y EXTERNAL -H ldapi:/// -f ./ppolicy-overlay.ldif

Restart ldap.

More details under: https://fedorahosted.org/sssd/wiki/openldap_ppolicy

Stephan
  • 696
  • 15
  • 37
  • So you had previously been trying to set `ppolicy` attributes without the `ppolicy` overlay? – user207421 Mar 30 '17 at 10:14
  • Most probably yes. I am not sure after so many changes i did. I am wondering though who does not like my answer and downvoted. Faq it ! It works. – Stephan Mar 30 '17 at 12:32