Fedora directory users - Sep 2008 - User password change which syntax checking

I have FDS 1.1.1 running with password policy and syntax checking 
working for user passwords via the console, but I haven''t been able to 
get ldappasswd (from mozldap-tools package) to pay attention to those 
password constraints that I know work via the console. That is, 
ldappasswd succeeds even when given passwords that fail in the console. 
Is this what I should expect to see?

AFAICS from looking at source code, manual pages etc, ldappasswd passes 
the plaintext password to the server to be encrypted and if that''s the 
case then I''m assuming that password checks should be working. I 
understand that password checks can''t be done if the userPassword 
attribute is modified directly, e.g. by ldapmodify.

I get the feeling I''m missing something very basic, so any
clarification
would be greatly appreciated.

-- 
Ross Johnson
Unix Specialist, IT Infrastructure
Insolvency and Trustee Service Australia
Ph:  +61 2 6270 3483
Fax: +61 2 6270 3413

Important: This transmission is intended only for the use of the addressee and
may contain confidential or legally privileged information. If you are not the
intended recipient, you are notified that any use or dissemination of this
communication is strictly prohibited. If you have received this transmission in
error, please notify immediately by telephone and delete all copies of this
transmission, together with any attachments.

Ross Johnson wrote:
> I have FDS 1.1.1 running with password policy and syntax checking 
> working for user passwords via the console, but I haven''t been
able to
> get ldappasswd (from mozldap-tools package) to pay attention to those 
> password constraints that I know work via the console. That is, 
> ldappasswd succeeds even when given passwords that fail in the 
> console. Is this what I should expect to see?
I''ve now learnt that FDS will accept a plaintext password in the LDIF 
from ldapmodify, which is policy checked (I had assumed only a hashed 
value could be provided - duh) so I can at least move on but I''m still 
puzzled by ldappasswd since that would be the most obvious choice for 
scripting password changes. It''s possibly only the mozldap-tools
version
because I see that other implementations provide parameters to send 
either plaintext passwords or encrypted.

-- 
Ross Johnson
Unix Specialist, IT Infrastructure
Insolvency and Trustee Service Australia
Ph:  +61 2 6270 3483
Fax: +61 2 6270 3413

Important: This transmission is intended only for the use of the addressee and
may contain confidential or legally privileged information. If you are not the
intended recipient, you are notified that any use or dissemination of this
communication is strictly prohibited. If you have received this transmission in
error, please notify immediately by telephone and delete all copies of this
transmission, together with any attachments.

Ross Johnson wrote:
> I have FDS 1.1.1 running with password policy and syntax checking 
> working for user passwords via the console, but I haven''t been
able to
> get ldappasswd (from mozldap-tools package) to pay attention to those 
> password constraints that I know work via the console. That is, 
> ldappasswd succeeds even when given passwords that fail in the 
> console. Is this what I should expect to see?
No.
>
> AFAICS from looking at source code, manual pages etc, ldappasswd 
> passes the plaintext password to the server to be encrypted and if 
> that''s the case then I''m assuming that password checks
should be
> working. I understand that password checks can''t be done if the 
> userPassword attribute is modified directly, e.g. by ldapmodify.
>
> I get the feeling I''m missing something very basic, so any 
> clarification would be greatly appreciated.
Do you have the same problem with Fedora DS 1.1.2?  Are you sure the 
password is being sent unencrypted?
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>