[Date Prev][Date Next]
Re: ppolicy + slapcat = ldif vulnerability?
I imagine the question would be if this is successful or not -- i.e., if
you have a userPassword -> pwdHistory value with high characters and
attempt to reuse it later, does this allow the password to be improperly
reused? If you've got some data where this is happening and can run that
experiment, that'd be a good data point.
On Mon, 3 Dec 2007, Scott Classen wrote:
I'm not sure if this is truly a vulnerability, but I thought I'd put it out there for discussion.
I have set up so a default ppolicy such that 3 old passwords are stored in a users pwdHistory attribute.
When I back up the bdb database via slapcat -l backup.ldif the userPassword field looks to be Base64 hashed.
but the passwd history leaves the passwd hashes visible.
Obviously these backup LDIF files are keep as secure as possible, and these are OLD passwds, but should the pwdHistory attribute also be hashed when being slapcated?