On 05/18/2012 12:13 PM, Alberto Viana wrote:
I have a 389 DS server replication agreement whith an AD Server and
when I change the password in the windows side it replicates into 389
but via 389 console I can see this field "unhashed#user#password" in
clear text.
How can I encrypt this field? Is it possible?
No, but you could use access control to deny access
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
I tried the following configuration:
Source:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases-Creating_and_Maintaining_Databases.html#Creating_and_Maintaining_Databases-Database_Encryption
dn: cn=unhashed#user#password,cn=encrypted
attributes,cn=userRoot,cn=ldbm data
base,cn=plugins,cn=config
objectClass: top
objectClass: nsAttributeEncryption
cn: unhashed#user#password
nsEncryptionAlgorithm: AES
If I restart my server the field is gone.
That's only for encrypting the data on disk (e.g. in case someone breaks
into your system and attempts to read the value from the disk file).
The fact is that I need to avoid my admin to see the userĀ“s password.
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
