I have a 389 DS server replication agreement whith an AD Server and when I change the password in the windows side it replicates into 389 but via 389 console I can see this field "unhashed#user#password" in clear text.

How can I encrypt this field? Is it possible?

I tried the following configuration:
Source:*http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases-Creating_and_Maintaining_Databases.html#Creating_a nd_Maintaining_Databases-Database_Encryption

dn: cn=unhashed#user#password,cn=encrypted attributes,cn=userRoot,cn=ldbm database,cn=plugins,cn=configobjectClass: topobjectClass: nsAttributeEncryption
cn: unhashed#user#passwordnsEncryptionAlgorithm: AES
If I restart my server the field is gone.

The fact is that I need to avoid my admin to see the user´s password.*
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

On 05/18/2012 12:13 PM, Alberto Viana wrote:
I have a 389 DS server replication agreement whith an
AD Server and when I change the password in the windows side it
replicates into 389 but via 389 console I can see this field
"unhashed#user#password" in clear text.




How can I encrypt this field? Is it possible?



No, but you could use access control to deny access

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html










I tried the following configuration:



Source:*http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases-Creating_and_Maintaining_Databases.html#Creating_a nd_Maintaining_Databases-Database_Encryption




dn: cn=unhashed#user#password,cn=encrypted
attributes,cn=userRoot,cn=ldbm data
base,cn=plugins,cn=config
objectClass: top
objectClass: nsAttributeEncryption
cn: unhashed#user#password
nsEncryptionAlgorithm: AES



If
I restart my server the field is gone.




That's only for encrypting the data on disk (e.g. in case someone
breaks into your system and attempts to read the value from the disk
file).










The fact is that I need to avoid my admin to see the
user´s password.*






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Also see:* https://fedorahosted.org/389/ticket/365




This is will be included in a future release.



Mark



On 05/18/2012 02:13 PM, Alberto Viana wrote:
I have a 389 DS server replication agreement whith an
AD Server and when I change the password in the windows side it
replicates into 389 but via 389 console I can see this field
"unhashed#user#password" in clear text.




How can I encrypt this field? Is it possible?






I tried the following configuration:



Source:*http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases-Creating_and_Maintaining_Databases.html#Creating_a nd_Maintaining_Databases-Database_Encryption




dn: cn=unhashed#user#password,cn=encrypted
attributes,cn=userRoot,cn=ldbm data
base,cn=plugins,cn=config
objectClass: top
objectClass: nsAttributeEncryption
cn: unhashed#user#password
nsEncryptionAlgorithm: AES



If
I restart my server the field is gone.




The fact is that I need to avoid my admin to see the
user´s password.*






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users