Is there a way to prevent the unhashed#user#password attribute from being stored or used at all? I don't need it to be replicated anywhere--I presume that the hashed password will be enough to authenticate users.


Thanks,

-Lucas

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Lucas,



A fix was just made to hide it from the audit log:



https://fedorahosted.org/389/ticket/365




The following ticket is to hide it all together, but this has not
been fixed yet:



https://fedorahosted.org/389/ticket/378



Mark



On 05/22/2012 05:32 PM, Lucas Sweany wrote:
Is there a way to prevent the unhashed#user#password
attribute from being stored or used at all? I don't need it to be
replicated anywhere--I presume that the hashed password will be
enough to authenticate users.



Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

I am actually seeing the attribute being stored in the database, not just in memory. Do you think the latest ticket will address that as well?

-Lucas

On Tue, May 22, 2012 at 2:37 PM, Mark Reynolds <mareynol@redhat.com> wrote:






Lucas,



A fix was just made to hide it from the audit log:



https://fedorahosted.org/389/ticket/365




The following ticket is to hide it all together, but this has not
been fixed yet:



https://fedorahosted.org/389/ticket/378



Mark



On 05/22/2012 05:32 PM, Lucas Sweany wrote:
Is there a way to prevent the unhashed#user#password
attribute from being stored or used at all? I don't need it to be
replicated anywhere--I presume that the hashed password will be
enough to authenticate users.



Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Well I know it's needed for replicating with AD, but it appears it's
added regardless if replication is in use.* I'm not too familiar
with this though, but I'll update the ticket with this request.



Mark





On 05/22/2012 05:41 PM, Lucas Sweany wrote:
I am actually seeing the attribute being stored in the
database, not just in memory. Do you think the latest ticket will
address that as well?



-Lucas



On Tue, May 22, 2012 at 2:37 PM, Mark
Reynolds <mareynol@redhat.com>
wrote:


Lucas,



A fix was just made to hide it from the audit log:



https://fedorahosted.org/389/ticket/365




The following ticket is to hide it all together, but this
has not been fixed yet:



https://fedorahosted.org/389/ticket/378



Mark





On 05/22/2012 05:32 PM, Lucas Sweany wrote:



Is there a way to prevent the
unhashed#user#password attribute from being stored or
used at all? I don't need it to be replicated
anywhere--I presume that the hashed password will be
enough to authenticate users.



Thanks,



-Lucas









--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users









--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

On 05/22/2012 03:32 PM, Lucas Sweany wrote:
Is there a way to prevent the unhashed#user#password
attribute from being stored or used at all? I don't need it to be
replicated anywhere--I presume that the hashed password will be
enough to authenticate users.




Unless you need to use Windows Sync, yes.* If you plan to use
Windows Sync you'll have to replicate the unhashed#user#password to
the server that has the windows sync agreement.





Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

I am syncing from an AD domain one way (onewaysync: fromWindows), and using the Password Sync service on the domain controllers. Perhaps the Password Sync service requires the attribute?* Even if so, it would be nice if the plain text attribute were to go away once the password hash was stored.


-Lucas

On Tue, May 22, 2012 at 2:54 PM, Rich Megginson <rmeggins@redhat.com> wrote:






On 05/22/2012 03:32 PM, Lucas Sweany wrote:
Is there a way to prevent the unhashed#user#password
attribute from being stored or used at all? I don't need it to be
replicated anywhere--I presume that the hashed password will be
enough to authenticate users.




Unless you need to use Windows Sync, yes.* If you plan to use
Windows Sync you'll have to replicate the unhashed#user#password to
the server that has the windows sync agreement.





Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

On 05/22/2012 04:09 PM, Lucas Sweany wrote:
I am syncing from an AD domain one way (onewaysync:
fromWindows), and using the Password Sync service on the domain
controllers. Perhaps the Password Sync service requires the
attribute?*


No.* You only need it if you sync passwords _to_ AD - AD requires
the clear text password.



Even if so, it would be nice if the plain text
attribute were to go away once the password hash was stored.



-Lucas



On Tue, May 22, 2012 at 2:54 PM, Rich
Megginson <rmeggins@redhat.com>
wrote:



On 05/22/2012 03:32 PM, Lucas Sweany wrote:
Is there a way to prevent the
unhashed#user#password attribute from being stored or
used at all? I don't need it to be replicated
anywhere--I presume that the hashed password will be
enough to authenticate users.





Unless you need to use Windows Sync, yes.* If you plan to
use Windows Sync you'll have to replicate the
unhashed#user#password to the server that has the windows
sync agreement.






Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users














--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Well I definitely don't need that. It looks like I will end up writing a script to delete or overwrite the attribute for now.

Thanks,

-Lucas

On Tue, May 22, 2012 at 3:12 PM, Rich Megginson <rmeggins@redhat.com> wrote:






On 05/22/2012 04:09 PM, Lucas Sweany wrote:
I am syncing from an AD domain one way (onewaysync:
fromWindows), and using the Password Sync service on the domain
controllers. Perhaps the Password Sync service requires the
attribute?*


No.* You only need it if you sync passwords _to_ AD - AD requires
the clear text password.



Even if so, it would be nice if the plain text
attribute were to go away once the password hash was stored.



-Lucas



On Tue, May 22, 2012 at 2:54 PM, Rich
Megginson <rmeggins@redhat.com>
wrote:



On 05/22/2012 03:32 PM, Lucas Sweany wrote:
Is there a way to prevent the
unhashed#user#password attribute from being stored or
used at all? I don't need it to be replicated
anywhere--I presume that the hashed password will be
enough to authenticate users.





Unless you need to use Windows Sync, yes.* If you plan to
use Windows Sync you'll have to replicate the
unhashed#user#password to the server that has the windows
sync agreement.






Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
















--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users