[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy + slapcat = ldif vulnerability?

I'm not sure if this is truly a vulnerability, but I thought I'd put it out there for discussion.

openldap 2.4.6
bdb backend
ppolicy overlay

I have set up so a default ppolicy such that 3 old passwords are stored in a users pwdHistory attribute.

When I back up the bdb database via slapcat -l backup.ldif the userPassword field looks to be Base64 hashed.


but the passwd history leaves the passwd hashes visible.

pwdHistory: 20071203220105Z#{SSHA}wAuvjfMkMyKKHcMV1Tg7qiG0x4

Obviously these backup LDIF files are keep as secure as possible, and these are OLD passwds, but should the pwdHistory attribute also be hashed when being slapcated?