- When using "passwd" to change an SSHA hashed password, the resulting password is stored in unix crypt format.
- Any user on a Sun LDAP client can get a list of all ldap users in the directory (including their encrypted password)
After poking around the directory server access logs and ACIs, here's what's going on. The Solaris native LDAP client is binding to the LDAP directory with the proxy user information defined in /var/ldap/ldap_client_cred. As part of the proxy user creation (in idsconfig, I'm assuming) an ACI is created that allows the proxy server to read passwords. When you run ldaplist -l passwd, the LDAP client connects to the directory as the proxy user and does a search for uid=* in ou=people,dc=example,dc=com attributes=ALL. Since the proxy user can read passwords, the encrypted password field is returned by this search and displayed to the user.
The big problem here is that any user on the system can run ldaplist. Also, this returns every user in the directory, not just the users in the netgroups that system is a member of.
For now I've removed the ACI that allows the proxy user to read passwords. This resolves the immediate problem, but may have broken other things. I'm still able to login, change my password, and RBAC seems to be working still.
We'll see how things go over the next couple of days, I guess. :-)