[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ppolicy - password history

To: Andris.Eiduks@tietoenator.com
Subject: Re: Ppolicy - password history
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 18 Jan 2007 16:47:49 +0100
Cc: openldap-software@openldap.org
In-reply-to: <1FABB43D1E997C49B412A3008386ADB9025EBF72@dino.eu.tieto.com>
References: <1FABB43D1E997C49B412A3008386ADB9025EBF72@dino.eu.tieto.com>
User-agent: Thunderbird 1.5.0.8 (X11/20061025)

Andris.Eiduks@tietoenator.com wrote:

Hi,

I try password history checking in OpenLDAP 2.3.32 and change user
password using LDAP browser.

When I enterer repaeted cleartext password then ppolicy returned expected decline "Password is in history of old passwords". But by password changing to any encrypted value ( the same password two and more times) OpenLDAP doesn't verify old password.

In log-file I found similar info about password changing for both cases:

Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory:
modify access granted
Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory:
modify access granted
Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: delete
pwdHistory
Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: add
pwdHistory
Jan 18 13:25:15 KS-Test-1 slapd[5478]: oc_check_allowed type
"pwdHistory"

Slapd.conf : .... ....

moduleload ppolicy.la
overlay ppolicy
ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=trm"
ppolicy_hash_cleartext
ppolicy_use_lockout

Encrypted values can't be decrypted to check history. Ppolicy needs the cleartext password to save the history.

p.

Follow-Ups:
- RE: Ppolicy - password history
  - From: <Andris.Eiduks@tietoenator.com>

References:
- Ppolicy - password history
  - From: <Andris.Eiduks@tietoenator.com>

Prev by Date: Re: Sync questions
Next by Date: Re: ldapsearch across back-sql and non-back-sql tree
Index(es):
- Chronological
- Thread