[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
From: gv@members.scinet.supercomputing.org
Date: Mon, 23 Sep 2019 19:59:42 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Mon, Sep 23, 2019 at 05:08:19PM +0200, Ond??ej Kuzn??k wrote:
> Hi Greg,
> thanks for both, I should merge that soon.

Wonderful, thank you. :-)

> On a side note, any ideas how to deal with ppolicy's pwdHistory here so
> it can reject changing the password to an old one? AFAIK using these
> schemas will prevent slap_passwd_check() from working and there isn't an
> obvious way to proceed.

I'm not familiar enough with how the ppolicy overlay hooks in
to say ATM.  I'll poke at this a bit and see if anything comes
to mind...  If the user is using the exop to set the password
we do have access to the plaintext reusable password stripped
of the OTP seed in the new hash_totp_and_pw() function, so if
there's something better than calling lutil_passwd_hash()
directly to restore this functionality I'd be perfectly fine
with that change.  Though I'm guessing it won't be quite that
easy. ;-)

-- 
Greg Veldman

Prev by Date: Re: (ITS#9081) Memory leak in ldap_initialize/ldap_unbind
Next by Date: Re: (ITS#9018) dynlist don't close connection
Index(es):
- Chronological
- Thread