I have an openldap with ppolicy on SSHA-512. When clear text password is sent from client, the password will be stored as SSHA-512, fine.
My problem appears, once already hashed password is send e.g SHA, SSHA, or even SSHA-512, the hashed value is hashed again, on SSHA-512.
I have configured my ppolicy with: olcPPolicyHashCleartext: TRUE
Isn't openldap ppolicy supposed to distinguish between above cases and trigger only when clear text is sent?
Long story short, as long as you use PasswordModifyExtendedRequest for updating the password with: ppolicy configured and olcPPolicyHashCleartext: TRUE the password value sent, hashed or not, will always be hashed again according to ppolicy.
To store the password without triggering ppolicy, simply avoid using PasswordModifyExtendedRequest and instead, use only the default modify/add operations, I personally used the ones from unboundid library.
This way, you can have your ppolicy configured and decide if you want to trigger it and let openldap hash your password, or hash the password on your own and then send it to openldap (without being stubbornly re-hashed!).