FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 05-22-2012, 09:32 PM
Lucas Sweany
 
Default Disable unhashed#user#password altogether

Is there a way to prevent the unhashed#user#password attribute from being stored or used at all? I don't need it to be replicated anywhere--I presume that the hashed password will be enough to authenticate users.


Thanks,

-Lucas

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-22-2012, 09:37 PM
Mark Reynolds
 
Default Disable unhashed#user#password altogether

Lucas,



A fix was just made to hide it from the audit log:



https://fedorahosted.org/389/ticket/365




The following ticket is to hide it all together, but this has not
been fixed yet:



https://fedorahosted.org/389/ticket/378



Mark



On 05/22/2012 05:32 PM, Lucas Sweany wrote:
Is there a way to prevent the unhashed#user#password
attribute from being stored or used at all? I don't need it to be
replicated anywhere--I presume that the hashed password will be
enough to authenticate users.



Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-22-2012, 09:41 PM
Lucas Sweany
 
Default Disable unhashed#user#password altogether

I am actually seeing the attribute being stored in the database, not just in memory. Do you think the latest ticket will address that as well?

-Lucas

On Tue, May 22, 2012 at 2:37 PM, Mark Reynolds <mareynol@redhat.com> wrote:






Lucas,



A fix was just made to hide it from the audit log:



https://fedorahosted.org/389/ticket/365




The following ticket is to hide it all together, but this has not
been fixed yet:



https://fedorahosted.org/389/ticket/378



Mark



On 05/22/2012 05:32 PM, Lucas Sweany wrote:
Is there a way to prevent the unhashed#user#password
attribute from being stored or used at all? I don't need it to be
replicated anywhere--I presume that the hashed password will be
enough to authenticate users.



Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-22-2012, 09:54 PM
Mark Reynolds
 
Default Disable unhashed#user#password altogether

Well I know it's needed for replicating with AD, but it appears it's
added regardless if replication is in use.* I'm not too familiar
with this though, but I'll update the ticket with this request.



Mark





On 05/22/2012 05:41 PM, Lucas Sweany wrote:
I am actually seeing the attribute being stored in the
database, not just in memory. Do you think the latest ticket will
address that as well?



-Lucas



On Tue, May 22, 2012 at 2:37 PM, Mark
Reynolds <mareynol@redhat.com>
wrote:


Lucas,



A fix was just made to hide it from the audit log:



https://fedorahosted.org/389/ticket/365




The following ticket is to hide it all together, but this
has not been fixed yet:



https://fedorahosted.org/389/ticket/378



Mark





On 05/22/2012 05:32 PM, Lucas Sweany wrote:



Is there a way to prevent the
unhashed#user#password attribute from being stored or
used at all? I don't need it to be replicated
anywhere--I presume that the hashed password will be
enough to authenticate users.



Thanks,



-Lucas









--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users









--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-22-2012, 09:54 PM
Rich Megginson
 
Default Disable unhashed#user#password altogether

On 05/22/2012 03:32 PM, Lucas Sweany wrote:
Is there a way to prevent the unhashed#user#password
attribute from being stored or used at all? I don't need it to be
replicated anywhere--I presume that the hashed password will be
enough to authenticate users.




Unless you need to use Windows Sync, yes.* If you plan to use
Windows Sync you'll have to replicate the unhashed#user#password to
the server that has the windows sync agreement.





Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-22-2012, 10:09 PM
Lucas Sweany
 
Default Disable unhashed#user#password altogether

I am syncing from an AD domain one way (onewaysync: fromWindows), and using the Password Sync service on the domain controllers. Perhaps the Password Sync service requires the attribute?* Even if so, it would be nice if the plain text attribute were to go away once the password hash was stored.


-Lucas

On Tue, May 22, 2012 at 2:54 PM, Rich Megginson <rmeggins@redhat.com> wrote:






On 05/22/2012 03:32 PM, Lucas Sweany wrote:
Is there a way to prevent the unhashed#user#password
attribute from being stored or used at all? I don't need it to be
replicated anywhere--I presume that the hashed password will be
enough to authenticate users.




Unless you need to use Windows Sync, yes.* If you plan to use
Windows Sync you'll have to replicate the unhashed#user#password to
the server that has the windows sync agreement.





Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-22-2012, 10:12 PM
Rich Megginson
 
Default Disable unhashed#user#password altogether

On 05/22/2012 04:09 PM, Lucas Sweany wrote:
I am syncing from an AD domain one way (onewaysync:
fromWindows), and using the Password Sync service on the domain
controllers. Perhaps the Password Sync service requires the
attribute?*


No.* You only need it if you sync passwords _to_ AD - AD requires
the clear text password.



Even if so, it would be nice if the plain text
attribute were to go away once the password hash was stored.



-Lucas



On Tue, May 22, 2012 at 2:54 PM, Rich
Megginson <rmeggins@redhat.com>
wrote:



On 05/22/2012 03:32 PM, Lucas Sweany wrote:
Is there a way to prevent the
unhashed#user#password attribute from being stored or
used at all? I don't need it to be replicated
anywhere--I presume that the hashed password will be
enough to authenticate users.





Unless you need to use Windows Sync, yes.* If you plan to
use Windows Sync you'll have to replicate the
unhashed#user#password to the server that has the windows
sync agreement.






Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users














--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-22-2012, 10:19 PM
Lucas Sweany
 
Default Disable unhashed#user#password altogether

Well I definitely don't need that. It looks like I will end up writing a script to delete or overwrite the attribute for now.

Thanks,

-Lucas

On Tue, May 22, 2012 at 3:12 PM, Rich Megginson <rmeggins@redhat.com> wrote:






On 05/22/2012 04:09 PM, Lucas Sweany wrote:
I am syncing from an AD domain one way (onewaysync:
fromWindows), and using the Password Sync service on the domain
controllers. Perhaps the Password Sync service requires the
attribute?*


No.* You only need it if you sync passwords _to_ AD - AD requires
the clear text password.



Even if so, it would be nice if the plain text
attribute were to go away once the password hash was stored.



-Lucas



On Tue, May 22, 2012 at 2:54 PM, Rich
Megginson <rmeggins@redhat.com>
wrote:



On 05/22/2012 03:32 PM, Lucas Sweany wrote:
Is there a way to prevent the
unhashed#user#password attribute from being stored or
used at all? I don't need it to be replicated
anywhere--I presume that the hashed password will be
enough to authenticate users.





Unless you need to use Windows Sync, yes.* If you plan to
use Windows Sync you'll have to replicate the
unhashed#user#password to the server that has the windows
sync agreement.






Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
















--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 05:52 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org