RE: Ppolicy - password history

[<Andris.Eiduks@tietoenator.com>]

Hi, 

Very strange, because ppolicy by parameter ppolicy_hash_cleartext store
also encrypted password value.
Then where is the problem store recieved ecrypted passwords and also
check from pwdHistory this encrypted value?

Otherwise we have a problem with PCI DSS requirements:
 
8.4 Encrypt all passwords during transmission and storage on all system
components.

8.5.12 Do not allow an individual to submit a new password that is the
same as any of the last
four passwords he or she has used


Andris 

-----Original Message-----
From: Pierangelo Masarati [mailto:ando@sys-net.it] 
Sent: Thursday, January 18, 2007 5:48 PM
To: Eiduks Andris
Cc: openldap-software@openldap.org
Subject: Re: Ppolicy - password history


Andris.Eiduks@tietoenator.com wrote:
> Hi,
> 
> I try password history checking in OpenLDAP 2.3.32 and change user 
> password using LDAP browser.
> 
> When I enterer repaeted cleartext password then ppolicy returned 
> expected decline "Password is in history of old passwords". But by 
> password changing to any encrypted value ( the same password two and 
> more times) OpenLDAP doesn't verify old password.
> 
> In log-file I found similar info about password changing for both 
> cases:
> 
> Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory: 
> modify access granted Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: 
> internal mod pwdHistory: modify access granted
> Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: delete
> pwdHistory
> Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: add
> pwdHistory
> Jan 18 13:25:15 KS-Test-1 slapd[5478]: oc_check_allowed type
> "pwdHistory"
> 
> 
> Slapd.conf :
> ....
> ....
> 
> moduleload ppolicy.la
> overlay ppolicy
> ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=trm"
> ppolicy_hash_cleartext
> ppolicy_use_lockout

Encrypted values can't be decrypted to check history.  Ppolicy needs the

cleartext password to save the history.

p.