Re: passwd policy overlay status

[Doug White <dwhite@gumbysoft.com>]

On Tue, 24 May 2005, Howard Chu wrote:

> >Whats the status of the password policy overlay in OpenLDAP 2.3? The
> >credit card industry is mandating Windows-style account expiry and lockout
> >controls and we'd like to use the ppolicy overlay to implement it using
> >our existing OpenLDAP/pam_ldap-based authentication system.  The manpage
> >seems relatively complete and the code looks in decent shape, but there's
> >some missing details that I'm hoping you can help out with.
> >
> >2.3 is still in beta stage and we'd like to not use that in production;
> >has someone backported the ppolicy overlay to 2.2?
> >
> The overlay was originally written for 2.2. However, the current code in
> CVS will only work with 2.3. The differences are probably minor, if you
> really want to get it running again under 2.2. Since that would be a new
> feature for 2.2, it is not something we will do as part of the Project.
> But as an alternative, you can use Symas CDS 2, which is based on
> OpenLDAP 2.2, and has this and many other overlays already bundled.

Noted.

> >In the password history, how are the old passwords encoded? Are they just
> >a copy of the prior userPassword attribute value (i.e., hashed) or do they
> >end up in cleartext?
> >
> >
> They are a copy of the previous userPassword attribute value. If the
> previous value was cleartext, it will remain as cleartext. If it was
> hashed, it will remain hashed. Certainly we cannot reverse a hash to
> turn it back into cleartext.

I assume, then, that when doing the history compare, the overlay rehashes
the proposed plaintext with the salt of the hash its comparing to?

> >Does anyone have an example of a working config? :-)
> >
> See the test suite. Test022 sets up a ppolicy instance and exercises the
> functions.

Perfect, thanks!

-- 
Doug White                    |  FreeBSD: The Power to Serve
dwhite@gumbysoft.com          |  www.FreeBSD.org