[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] LDAP - password in history

Subject: Re: [ldapext] LDAP - password in history
From: Jim Willeke <jim@willeke.com>
Date: Fri, 21 Feb 2003 09:14:40 -0500
Cc: ldapext@ietf.org
In-reply-to: <20030221120713.3692.qmail@web13306.mail.yahoo.com>
References: <20030221120713.3692.qmail@web13306.mail.yahoo.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030203

It is my opinion that if this history is avaialble, it is a risk that should be evalulated. If you are trying to tell the user if the password they tried ot use has already been used, I think there is an error code that is returned that will tell you the reason the password change failed. (At least it maybe returned unwilling to perform)

But ask the vendor.
-jim

Allan Clarke wrote:

yes, my application connects to a iPlanet ldap server with all the password policies I mentioned earlier. I want to a know a way how my application can can check if the user entered password already exists in history. To do so there should be some attribute in some objectclass which contains the list of passwords. And at the moment I don't know how to get there. There is so little help out there that it is virtually impossible to find anything without any help.

Cheers

Allan

 */Ludovic Poitou <ludovic.poitou@Sun.com>/* wrote:

    Hi Allan,

    Your question looks like to be related to a specific Directory Server
    implementation and it may be better to ask directly to the vendor...
    PasswordHistory and PasswordinHistory attributes are Netscape /
    iPlanet
    / Sun ONE specific as far as I know.

    Regards,

    Ludovic.

    PS: With Sun ONE Directory Server 5.x, if the password is in the
    history
    (when attempting to CHANGE it), the error returned is Constraint
    Violation and the additional message will tell you that the
    password is
    in the history.

    Allan Clarke wrote:

    > Hi everybody,
    >
    > My application is written in ColdFusion. We are using LDAP to
    > authenticate users and have a strict
    > password policy. The password expire in 30 days, a warning
    message is
    > sent to the user 7 days
    > before the password expires. LDAP also remembers 3 p! asswords in
    > history and ooh I forgot the
    > password encryption is Salted Secure Hashing Algorithm (SSHA).
    >
    > Right, now I want to know a way to check if the user entered
    password
    > is already in history. I
    > get a error "Invalid Credentials" when I try to use a password
    that is
    > in history. I know there
    > is a LDAP attribute "PasswordHistory" and "PasswordInHistory" but I
    > don't know which objectclass
    > they belong to. I see the "PasswordHistory" attribute in the user
    > advanced properties window but it
    > does not have any value. One other question, if this is the only
    way
    > to check if the password
    > exists in history, how do I add this attribute to my schema?
    >
    > Your help would be greatly apprecited.
    >
    > Regards
    > Allan
    >
    >
    >
    ------------------------------------------------------------------------
    > Do you Yahoo!?
    > Ya! hoo! Tax Center
    > -
    > forms, calculators, tips, and more

-- Ludovic Poitou Sun Microsystems Inc. Sun ONE products - Directory Server Group - Grenoble - France

------------------------------------------------------------------------ Do you Yahoo!? Yahoo! Tax Center <http://rd.yahoo.com/finance/mailtagline/*http://taxes.yahoo.com/> - forms, calculators, tips, and more

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- Re: [ldapext] LDAP - password in history
  - From: Allan Clarke <mailinglistid2003@yahoo.com>

Prev by Date: Re: [ldapext] LDAP - password in history
Next by Date: Re: [ldapext] LDAP - password in history
Index(es):
- Chronological
- Thread