[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4276) Password policy history and complexity ignored with exop pwd change

Full_Name: Jim Boden
Version: 2.3.13
OS: Solaris
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

I tested this using PADL on Solaris 10 x86. The PADL pam_ldap was linked against
the openldap 2.3.13 libldap.so. Only some of the ppolicy works fine when using
exop. I got this back from Howard when asking about it:

No, the exop only accepts passwords in plaintext and then generates the hash
later. As such, quality checking can always be performed when using the exop.

So I'm assuming this to mean that exop should fully follow the default ppolicy.
It does not in the following areas:

pwdHistory - I configured for 6, yet my user entry grows forever and lets me
re-use passwords. I tested with password-hash of {MD5}.

complexity - Min length seems to work, but the complexity (letters/numbers) is
not followed.

I then changed the PADL to NOT use exop, but rather send pwds in the clear. The
first time I changed a password with this new config, the pwdHistory for my test
user went back to saving only 6 (like it should) and the complexity started
being followed.

I suppose this could be blamed on PADL pam_ldap but I did link it with OpenLDAP
libldap.so for 2.3.13 so I figured it might be an OpenLDAP issue.

I'm using a work-around of passwords in the clear, over SSL, and using the
password-hash entry in slapd.conf.