[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy acting strange

Subject: Re: ppolicy acting strange
From: Kevin Spicer <kevins@bmrb.co.uk>
Date: Thu, 22 Dec 2005 18:43:16 +0000
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <20051220191759.44403.qmail@web36303.mail.mud.yahoo.com>
References: <20051220191759.44403.qmail@web36303.mail.mud.yahoo.com>

I think you'll find that the password history constraint only applies
where the user is changing their own password.  This is pretty much like
using the passwd program, you may not be able to choose the password,
but root can set it to anything.

On Tue, 2005-12-20 at 11:17 -0800, Jim Boden wrote:
> Hi,
>   
>   I see some of the ppolicy overlay working as expected, but other parts  not quite. Hopefully someone here has an idea of what I did wrong.
>   
>   I configured a default ppolicy as in the tests. I set the pwdInHistory  to 6. I then keep changing the password for a user. Because I'm using  padl, I bind as an ldap user that has write perms to the full db, but  I'm not using the rootdn. 
>   
>   The pwdMinLength test does work correctly and I have pwdCheckQuality  equal to 2. I set the password-hash to {MD5}. As I keep changing the  password, the number of pwdHistory entries keeps growing. There are 20  in there now. 
>   
>   So that seems strange. But it also lets me re-use a password I have  used previously. With MD5, the hashes are identical for the same pwd so  I see the old hash in one of the pwdHistory entries, but it still  works. 
>   
>   Any idea why it does not fail on a re-used password?
>   
>   This is version 2.3.13.
>   
>   Thanks,
>   Jim
>    
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 

=================================================================

BMRB wins two BMRA awards - http://www.bmrb.co.uk
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB Limited accepts no liability 
in relation to any personal emails, or content of any email which 
does not directly relate to our business.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

References:
- ppolicy acting strange
  - From: Jim Boden <jboden508@yahoo.com>

Prev by Date: Authenticating with distributed tree(?)
Next by Date: Re: asynchronous event notification?
Index(es):
- Chronological
- Thread