[Date Prev][Date Next]
Re: (ITS#5285) password policy checks userPassword hash even without policies
> Full_Name: Matthew Backes
> Version: 2.3, 2.4, head, etc
> OS: all
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (22.214.171.124)
> When receiving a new userPassword, slapo-ppolicy checks to see if that password
> matches the hash already present in userPassword, and disallows it if this is
> the case.
> This is a sensible default for most circumstances, as otherwise the user could
> reset their age counters by using the same password.
> Unfortunately, it also blocks arguably-legitimate password changes; e.g. when
> migration to SSHA from CRYPT where the first 8 chars of the new password match
> the old.
> This patch changes this userPassword-has-changed check to only apply if there is
> a password policy defined which requires it; in particular, any of pwdInHistory,
> pwdMinAge, pwdMaxAge, pwdCheckQuality, or pwdMustChange must apply for this
> check to be enforced.
Rereading draft-behera, it says
This attribute specifies the maximum number of used passwords stored
in the pwdHistory attribute.
If this attribute is not present, or if the value is 0, used
passwords are not stored in the pwdHistory attribute and thus may be
As such the test can be simplified. Committing to HEAD.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/