[Freeipa-devel] Consistent password hashing and lookups
Simo Sorce
ssorce at redhat.com
Tue May 13 19:47:30 UTC 2014
----- Original Message -----
> On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote:
> > Is there any other attribute to look at?
> > For example the timestamp when it was last set and base the update on
> > that rather than on matching password values?
> >
> There are some other solutions, but they are less elegant or don't work
> consistently. (Eg: bad hacks)
Reading userPassword is a bad hack, that will stop working as soon as we decide to change the default hash type.
Do yourself a favor, use a simple bind to check the user password.
If the bind succedes you have the right password, and you stop.
If it fails you just override the password with whatever you have in puppet.
Simo.
--
Simo Sorce * Red Hat, Inc. * New York
More information about the Freeipa-devel
mailing list