FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 05-18-2012, 06:13 PM
Alberto Viana
 
Default unhashed#user#password field

I have a 389 DS server replication agreement whith an AD Server and when I change the password in the windows side it replicates into 389 but via 389 console I can see this field "unhashed#user#password" in clear text.

How can I encrypt this field? Is it possible?

I tried the following configuration:
Source:*http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases-Creating_and_Maintaining_Databases.html#Creating_a nd_Maintaining_Databases-Database_Encryption

dn: cn=unhashed#user#password,cn=encrypted attributes,cn=userRoot,cn=ldbm database,cn=plugins,cn=configobjectClass: topobjectClass: nsAttributeEncryption
cn: unhashed#user#passwordnsEncryptionAlgorithm: AES
If I restart my server the field is gone.

The fact is that I need to avoid my admin to see the userīs password.*
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-18-2012, 06:22 PM
Rich Megginson
 
Default unhashed#user#password field

On 05/18/2012 12:13 PM, Alberto Viana wrote:
I have a 389 DS server replication agreement whith an
AD Server and when I change the password in the windows side it
replicates into 389 but via 389 console I can see this field
"unhashed#user#password" in clear text.




How can I encrypt this field? Is it possible?



No, but you could use access control to deny access

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html










I tried the following configuration:



Source:*http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases-Creating_and_Maintaining_Databases.html#Creating_a nd_Maintaining_Databases-Database_Encryption




dn: cn=unhashed#user#password,cn=encrypted
attributes,cn=userRoot,cn=ldbm data
base,cn=plugins,cn=config
objectClass: top
objectClass: nsAttributeEncryption
cn: unhashed#user#password
nsEncryptionAlgorithm: AES



If
I restart my server the field is gone.




That's only for encrypting the data on disk (e.g. in case someone
breaks into your system and attempts to read the value from the disk
file).










The fact is that I need to avoid my admin to see the
userīs password.*






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-21-2012, 02:56 PM
Mark Reynolds
 
Default unhashed#user#password field

Also see:* https://fedorahosted.org/389/ticket/365




This is will be included in a future release.



Mark



On 05/18/2012 02:13 PM, Alberto Viana wrote:
I have a 389 DS server replication agreement whith an
AD Server and when I change the password in the windows side it
replicates into 389 but via 389 console I can see this field
"unhashed#user#password" in clear text.




How can I encrypt this field? Is it possible?






I tried the following configuration:



Source:*http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases-Creating_and_Maintaining_Databases.html#Creating_a nd_Maintaining_Databases-Database_Encryption




dn: cn=unhashed#user#password,cn=encrypted
attributes,cn=userRoot,cn=ldbm data
base,cn=plugins,cn=config
objectClass: top
objectClass: nsAttributeEncryption
cn: unhashed#user#password
nsEncryptionAlgorithm: AES



If
I restart my server the field is gone.




The fact is that I need to avoid my admin to see the
userīs password.*






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 01:04 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright Đ2007 - 2008, www.linux-archive.org