Thank you for helping. ldif below solved my problem.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.la
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
olcPPolicyDefault: cn=PasswordPolicy,ou=Policies,dc=example,dc=com
On Sun, Nov 12, 2023 at 7:12 PM Shawn McKinney <[email protected]> wrote:
>
>
> > On Nov 10, 2023, at 10:24 AM, Veniamin Gvozdikov <
> [email protected]> wrote:
> >
> > Hello.
> >
> > I would like to use hashed user passwords but I didn't get the property
> > with encryption of passwords for userPassword. If you open DIT with
> Apache
> > Directory Studio any user from ou=People account's property with the
> > password you will be able to set a new password with any of the listed
> > hashing algorithms.
> >
>
> Veniamin,
>
> The hash operations related to processing users and their passwords is
> handled on the server.
>
> For example, password policies in OpenLDAP[1] we’d enable it in the
> Openldap config:
>
>
> ```
> overlay ppolicy
> policy_hash_cleartext
> ```
>
> This reduces complexity on the client side. Now, when the client requests
> password being added, changed or checked(bind), it sends pw in clear text.
> The server will change/interpret as needed.
>
> Man (openldap) slapo-policy
> …
> ppolicy_hash_cleartext
> Specify that cleartext passwords present in Add and Modify requests
> should be hashed before being stored in the database. This violates the
> X.500/LDAP information model, but may be needed to compensate for LDAP
> clients that don't use the Password Modify extended operation to manage
> passwords. It is recommended that when this option is used that compare,
> search, and read access be denied to all directory users.
>
>
> > I reviewed
> src/main/java/org/apache/directory/fortress/core/model/User.java
> > with these lines but no mentions about hashing.
> >
>
> Correct. That’s how it works currently.
>
> > 822 /**
> >
> > 823 * Get the optional password attribute associated for a User.
> > Note, this value is required before User will pass Fortress
> > 824 * authentication in {@link
> > org.apache.directory.fortress.core.impl.AccessMgrImpl#createSession(User,
> > boolean)}.
> > 825 * Even though password is char[] format here it will be stored
> on
> > the ldap server (using server-side controls) in configurable and
> > standard hashed formats.
> > 826 *
> >
> > 827 * @return value maps to 'userPassword' attribute in
> > 'inetOrgPerson' object class.
> > 828 */
> >
> > 829 public String getPassword()
> >
> > 830 {
> >
> > 831 return password;
> >
> > 832 }
> >
> >
> > --
> > Regards,
> > Veniamin
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
--
Regards,
Veniamin
