When importing user passwords as a password hash from LDAP only one of the password hash formats supported by BoKS is set. At the next successful authentication, boks_servc recalculates all password hashes from the clear text password used for authentication. The problem is that the existing hash is also recalculated using a new salt resulting in a different hash. This results in unnecessary password updates in systems using both LDAP-to-BoKS and BoKS-to-LDAP password synchronization.

Resolution / Workaround

Apply hotfix HFBM-0066, available from the HelpSystems Community Portal.

In this hotfix, boks_servc is updated to reuse the salt from existing hashes when recalculating hashes after a successful authentication as described above. The selection of events to send from BoKS to LDAP via BoKS EMS has also been modified so that it is possible to separate a real password change from the event when password hashes are recalculated because of an incomplete password hash list. A real password change has the event path "passwd#change", while password hash recalculation now has a separate event path, "passwd#rehash". This makes it possible to only subscribe real password changes when feeding BoKS updates to LDAP via BoKS ENV, see the man page eventd.cfg (5) for more information.

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018