Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.0.0-M11
-
None
Description
Currently, we need to activate the PasswordHash interceptor for Kerberos to be activated. This is fine, except that this interceptor blindly hashes all the userPassword added values on the fly, regardless they are used by kerberos or not.
It would be way better if the hashing occurs on specific parts of the DIT, those under the searchBaseDN for Kerberos for instance.
The interceptor should contain the list of searchBaseDN which will see the password hsahed.