[Date Prev][Date Next]
ppolicy + slapcat = ldif vulnerability?
I'm not sure if this is truly a vulnerability, but I thought I'd put it out there for discussion.
I have set up so a default ppolicy such that 3 old passwords are stored in a users pwdHistory attribute.
When I back up the bdb database via slapcat -l backup.ldif the userPassword field looks to be Base64 hashed.
but the passwd history leaves the passwd hashes visible.
Obviously these backup LDIF files are keep as secure as possible, and these are OLD passwds, but should the pwdHistory attribute also be hashed when being slapcated?