My current problem is that i cannot stop OpenLDAP to store passwords as plaintext. In an older openLDAP version , i entered following configuration in the slapd.conf
ppolicy_hash_cleartext
password-hash {SSHA} {SHA}
So once a password was sent from my application as plaintext, the ldap was encrypting it and storing it encrypted.
Unfortunately i was not able to configure OpenLDAP 2.4.40. I found out that the slapd.conf does not exist anymore in the newer version and instead the configuration is taking place in the cn=config.ldif file.
I tried to add again the same configuration there but it seems that it has no effect.
EDIT : I added with ldapmodify the olcPasswordHash: {SSHA} entry in olcBackend={0}mdb.ldif , olcDatabase={1}mdb.ldif , olcDatabase={0}config.ldif and cn=config.ldif , still my passwords that are sent as plaintext are stored as plaintext.
Took some time, but figured out finally.
Load schema describing ppolicy attributes.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
Create a ppolicy_module.ldif with the following content and make sure that the ppolicy.la is located under the defined olcModulePath. Store the file under /etc/ldap
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: ppolicy.la
olcModulePath: /usr/lib/ldap
Add the ppolicy_module.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy_module.ldif
Create a ppolicy-overlay.ldif file with the following content. Make sure of the olcDatabase number . In this case it is olcDatabase={1}mdb . Store the file under /etc/ldap
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=ppolicy,ou=policies,dc=example,dc=com
olcPPolicyUseLockout: FALSE
olcPPolicyHashCleartext: TRUE
Add LDIF file.
ldapadd -Y EXTERNAL -H ldapi:/// -f ./ppolicy-overlay.ldif
Restart ldap.
More details under: https://fedorahosted.org/sssd/wiki/openldap_ppolicy