Fedora Directory Server Password Storage Schema / Policy

 

I’m seeing a couple of post from people and on the web quoting my web page about the Fedora Directory Server about the Password Storage schema policy ie setting it to CLEAR, CRYPT, DES, MD5, SHA, SSHA etc doesn’t work. Remember in the original Document which I wrote in 2006 “LDAP Fedora Directory Server HOWTO with SSL & NOSSL for Unix / Linux / MacOSX / Windows Client Binding”, I used Fedora Directory Server 1.02 not 1.03 nor 1.04.

 

I know that the Fedora Directory Server 1.04 didn’t quite work as I found out, I can’t comment on Fedora Directory Server 1.03 as I totally bypassed it for reasons which I won’t mention but I did get the Password Storage Schema / Policy working for FDS 1.04 which I will document here as it seems like a lot of people is interested in this.

 

If you followed my steps in my document mentioned above in “Section 3.1 Configuring Password Policy for all three Platforms”, it worked in 1.02 and “should” work in subsequent versions including 1.03 & 1.04 but I checked over it and it didn’t make the necessary changes. So in the end I did it manually which I will describe here.

 

Start the FDS console, I’m assuming you read my previous document which this example will be based on ie

 

cd /opt/fedora-ds

./startconsole

 

And log in as Directory Manager, then double click on Directory Server which should pop another window saying “Fedora Directory Server”. Now click on the Directory Tab. Now all the configuration ares stored the config. Right click on the config and select Properties.

 

Now anything related to the password storage schema / policy is stored with these variables password* ie

 

passwordchange

passwordchecksyntax

passwordexp

passwordgracelimit

passwordhistory

passwordstoragescheme

.

.

.

.etc

 

But the one you probably are interested is passwordstoragescheme, that’s why you are looking at this document. You set the passwordstoragemethod with this variable ie for me as I said crypt is the encryption method I used so everything will talk nice to each other ie

 

passwordstoragescheme = CRYPT

 

You can change the storage method to any encryption method but make sure you have the right value and is supported by Fedora Directory Server, as from 1.04 I know it supports Clear, Crypt, DES, MD5, SHA, SSHA. Make sure you the right syntax.

 

If you looked at my other document in “Section 3.1 Configuring Password Policy for all three Platforms” you notice the are password policy has other values  which can be set such as password tries before account is locked is set by the passwordmaxfailure. The variables are pretty self explanatory.

 

I would advise strongly people people to upgrade to Fedora Directory Server 1.04, I know some things are broken like the GUI importation of SSL certificates but you can still import them via the command line and it fixes the biggest issue, huge memory leaks which was found in 1.02.