[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy + slapcat = ldif vulnerability?



I'm not sure if this is truly a vulnerability, but I thought I'd put it out there for discussion.

openldap 2.4.6
bdb backend
ppolicy overlay

I have set up so a default ppolicy such that 3 old passwords are stored in a users pwdHistory attribute.

When I back up the bdb database via slapcat -l backup.ldif the userPassword field looks to be Base64 hashed.

userPassword:: e1NTSEF9VWFTNDNVDRWEx1QzEyWjASGVWc0VZHRNTmt4M1c=

but the passwd history leaves the passwd hashes visible.

pwdHistory: 20071203220105Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}wAuvjfMkMyKKHcMV1Tg7qiG0x4

Obviously these backup LDIF files are keep as secure as possible, and these are OLD passwds, but should the pwdHistory attribute also be hashed when being slapcated?

Scott