By default, 389 DS doesn't allow pre-hashed passwords to be set by anyone other than Directory Manager. This privilege can be delegated to other users by adding them to the Password Administrators group. This works fine for most cases, but there are cases where one might want to allow anyone to set pre-hashed passwords. An example is the FreeIPA project, who has their own SLAPI plug-in that controls pre-hashed password checking. We should add a switch to completely disable pre-hashed password checking to support this case.
Reviewed by Mark.
Pushed to master:
ccc61a3..ab64389 master -> master
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1118051
Please check https://fedorahosted.org/freeipa/ticket/4450#comment:6. FreeIPA team would like to ask for backporting this patch to 1.3.2 branch (and Fedora 20 build) as it is now blocking password migration process.
git patch file (1.3.2) -- backported
Pushed to 389-ds-base-1.3.2:
daffe97..7498972 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
Metadata Update from @mkosek:
- Issue assigned to nkinder
- Issue set to the milestone: 126.96.36.199
to comment on this ticket.