From: Kurt Zeilenga <kurt@openldap.org>
Date: Tue, 20 Dec 2005 00:39:28 +0000 (+0000)
Subject: Add access control recommendation to discussion of password hashing.
X-Git-Tag: OPENLDAP_REL_ENG_2_4_BP~557
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=553f59b900d694934f09825251a58904830ef042;p=openldap

Add access control recommendation to discussion of password hashing.
---

diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5
index 7cdb3b6910..58a75a2453 100644
--- a/doc/man/man5/slapo-ppolicy.5
+++ b/doc/man/man5/slapo-ppolicy.5
@@ -39,9 +39,11 @@ and no default is given, then no policies will be enforced.
 .TP
 .B ppolicy_hash_cleartext
 Specify that cleartext passwords present in Add and Modify requests should
-be hashed before being stored in the database. This violates the X.500
+be hashed before being stored in the database. This violates the X.500/LDAP
 information model, but may be needed to compensate for LDAP clients that
-don't use the Password Modify exop to manage passwords.
+don't use the Password Modify extended operation to manage passwords.  It
+is recommended that when this option is used that compare, search, and
+read access be denied to all directory users. 
 .TP
 .B ppolicy_use_lockout
 A client will always receive an LDAP