Closed eryajf closed 1 month ago
Pardon? Can you elaborate and post some of the code please?
the one user password policy is:
Now, I use this func change the user password:
func ModifyUserPassword(dn, oldpasswd, newpasswd string) (string, error) {
passModify := ldap.NewPasswordModifyRequest(
dn,
oldpasswd,
newpasswd)
result, err := InitCli().PasswordModify(passModify)
if err != nil {
return "", err
}
return result.GeneratedPassword, nil
}
After changing the password, the password policy changed to ssha:
I saw that this project can specify a policy when changing passwords. How should go ldap also support specifying password policies. see: Password policy
The project you're referring to is written in PHP. I don't know where self-service-password
is getting it's information from regarding the "policy", but you're better of asking this question in their repository as we can't answer that.
The mention of self-service-password
is to demonstrate the feasibility of specifying password policies when changing passwords
I am currently using go ldap to change the user's password, but the password policy will change. I would like to point out that this is a question for go ldap and I hope to find an answer here
"You can use these schemes to hash the password before sending it to LDAP directory:" (quote from the page you linked)...
This is two different things:
PasswordModify
does a password modify call, which sends the password in clear to the server and the policy on the server which hashing algorithm to use is applied. Specifically the make_password
function takes the $hash
method and produces the $password
bytes that are sent through the LDAP connection - seems like it's outside of the LDAP library and/or protocol completely.
This is something that you'd need to take up with the maintainers of self-service-password.
I see that he encapsulates make_password in a separate method: visible here
I'm not sure if OpenLDAP will change Clear to SHA after changing the password, I just want to explore whether the current go-ldap project has a solution or idea to keep the password policy unchanged,Because I am developing based on go-ldap
The method he actually called to change the password was: https://github.com/ltb-project/ltb-ldap/blob/0ca06f8aafd116f214418efe9e3f22609c94f431/src/Ltb/Ldap.php#L304
This method is called: https://github.com/ltb-project/ltb-ldap/blob/0ca06f8aafd116f214418efe9e3f22609c94f431/src/Ltb/PhpLDAP.php#L79
The final call is the method provided by PHP: https://www.php.net/manual/zh/function.ldap-exop-passwd.php
My user's default password policy is
clear
. When I change the password using the PasswordModify method, it will automatically change tossha
. How can I keepclear