SSHA password encryption on OpenLDAP

Question

My current problem is that i cannot stop OpenLDAP to store passwords as plaintext. In an older openLDAP version , i entered following configuration in the slapd.conf

ppolicy_hash_cleartext
password-hash {SSHA} {SHA} 

So once a password was sent from my application as plaintext, the ldap was encrypting it and storing it encrypted.

Unfortunately i was not able to configure OpenLDAP 2.4.40. I found out that the slapd.conf does not exist anymore in the newer version and instead the configuration is taking place in the cn=config.ldif file.

I tried to add again the same configuration there but it seems that it has no effect.

EDIT : I added with ldapmodify the olcPasswordHash: {SSHA} entry in olcBackend={0}mdb.ldif , olcDatabase={1}mdb.ldif , olcDatabase={0}config.ldif and cn=config.ldif , still my passwords that are sent as plaintext are stored as plaintext.

Answer 1

Took some time, but figured out finally.

Load schema describing ppolicy attributes.

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif

Create a ppolicy_module.ldif with the following content and make sure that the ppolicy.la is located under the defined olcModulePath. Store the file under /etc/ldap

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: ppolicy.la
olcModulePath: /usr/lib/ldap

Add the ppolicy_module.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy_module.ldif

Create a ppolicy-overlay.ldif file with the following content. Make sure of the olcDatabase number . In this case it is olcDatabase={1}mdb . Store the file under /etc/ldap

dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=ppolicy,ou=policies,dc=example,dc=com
olcPPolicyUseLockout: FALSE
olcPPolicyHashCleartext: TRUE

Add LDIF file.

ldapadd -Y EXTERNAL -H ldapi:/// -f ./ppolicy-overlay.ldif

Restart ldap.

More details under: https://fedorahosted.org/sssd/wiki/openldap_ppolicy