Add access control recommendation to discussion of password hashing.

author Kurt Zeilenga <kurt@openldap.org>

Tue, 20 Dec 2005 00:39:28 +0000 (00:39 +0000)

committer Kurt Zeilenga <kurt@openldap.org>

Tue, 20 Dec 2005 00:39:28 +0000 (00:39 +0000)
author Kurt Zeilenga <kurt@openldap.org>
Tue, 20 Dec 2005 00:39:28 +0000 (00:39 +0000)
committer Kurt Zeilenga <kurt@openldap.org>
Tue, 20 Dec 2005 00:39:28 +0000 (00:39 +0000)
diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5

index 7cdb3b6910409535cb264ea92f63a773e561aa8b..58a75a245361776e51ba39fd6167ba2f08df36cb 100644 (file)
--- a/doc/man/man5/slapo-ppolicy.5
+++ b/doc/man/man5/slapo-ppolicy.5
@@ -39,9 +39,11 @@ and no default is given, then no policies will be enforced.
  .TP
  .B ppolicy_hash_cleartext
  Specify that cleartext passwords present in Add and Modify requests should
-be hashed before being stored in the database. This violates the X.500
+be hashed before being stored in the database. This violates the X.500/LDAP
  information model, but may be needed to compensate for LDAP clients that
-don't use the Password Modify exop to manage passwords.
+don't use the Password Modify extended operation to manage passwords.  It
+is recommended that when this option is used that compare, search, and
+read access be denied to all directory users. 
  .TP
  .B ppolicy_use_lockout
  A client will always receive an LDAP
author	Kurt Zeilenga <kurt@openldap.org>
	Tue, 20 Dec 2005 00:39:28 +0000 (00:39 +0000)
committer	Kurt Zeilenga <kurt@openldap.org>
	Tue, 20 Dec 2005 00:39:28 +0000 (00:39 +0000)