[Date Prev][Date Next]
RE: Ppolicy - password history
Then do You recommend use only clearteaxt password from *client* side ?
And if *client" perform password encryption, then password history must
be stored and compared by * client* side soft ?
From: Howard Chu [mailto:firstname.lastname@example.org]
Subject: Re: Ppolicy - password history
> Very strange, because ppolicy by parameter ppolicy_hash_cleartext
> store also encrypted password value. Then where is the problem store
> recieved ecrypted passwords and also check from pwdHistory this
> encrypted value?
The difference is that when the *server* encrypts it, it has a chance to
validate the cleartext first. When the *client* encrypts it, no such
opportunity exists for the server.
> Otherwise we have a problem with PCI DSS requirements:
> 8.4 Encrypt all passwords during transmission and storage on all
> system components.
The obvious solution to meet this requirement is to make sure that all
connections are encrypted (using TLS, SASL, or IPSEC).
> 8.5.12 Do not allow an individual to submit a new password that is the
> same as any of the last four passwords he or she has used
> -----Original Message-----
> From: Pierangelo Masarati [mailto:email@example.com]
> Sent: Thursday, January 18, 2007 5:48 PM
> To: Eiduks Andris
> Cc: firstname.lastname@example.org
> Subject: Re: Ppolicy - password history
> Andris.Eiduks@tietoenator.com wrote:
>> I try password history checking in OpenLDAP 2.3.32 and change user
>> password using LDAP browser.
>> When I enterer repaeted cleartext password then ppolicy returned
>> expected decline "Password is in history of old passwords". But by
>> password changing to any encrypted value ( the same password two and
>> more times) OpenLDAP doesn't verify old password.
>> In log-file I found similar info about password changing for both
>> Jan 18 13:25:15 KS-Test-1 slapd: acl: internal mod pwdHistory:
>> modify access granted Jan 18 13:25:15 KS-Test-1 slapd: acl:
>> internal mod pwdHistory: modify access granted
>> Jan 18 13:25:15 KS-Test-1 slapd: bdb_modify_internal: delete
>> Jan 18 13:25:15 KS-Test-1 slapd: bdb_modify_internal: add
>> Jan 18 13:25:15 KS-Test-1 slapd: oc_check_allowed type
>> Slapd.conf :
>> moduleload ppolicy.la
>> overlay ppolicy
>> ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=trm"
> Encrypted values can't be decrypted to check history. Ppolicy needs
> cleartext password to save the history.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/