From 553f59b900d694934f09825251a58904830ef042 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Tue, 20 Dec 2005 00:39:28 +0000
Subject: [PATCH] Add access control recommendation to discussion of password
 hashing.

---
 doc/man/man5/slapo-ppolicy.5 | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5
index 7cdb3b6910..58a75a2453 100644
--- a/doc/man/man5/slapo-ppolicy.5
+++ b/doc/man/man5/slapo-ppolicy.5
@@ -39,9 +39,11 @@ and no default is given, then no policies will be enforced.
 .TP
 .B ppolicy_hash_cleartext
 Specify that cleartext passwords present in Add and Modify requests should
-be hashed before being stored in the database. This violates the X.500
+be hashed before being stored in the database. This violates the X.500/LDAP
 information model, but may be needed to compensate for LDAP clients that
-don't use the Password Modify exop to manage passwords.
+don't use the Password Modify extended operation to manage passwords.  It
+is recommended that when this option is used that compare, search, and
+read access be denied to all directory users. 
 .TP
 .B ppolicy_use_lockout
 A client will always receive an LDAP
-- 
2.39.5