[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Last bind timestamp?

Pat Riehecky writes:
> In the long run I would love to use ppolicy for this, but (...)

OK, overlay accesslog for both Bind and updates then.  Then regularly
pull updates out from the accesslog database.  Or accesslog for Bind
and auditlog for updates.  Or if you want an overlay which does this,
auditlog + accesslog's Bind recognition should provide a good template.

Unless ppolicy does support just recording multi-value changes, as long
as expiry and so on is turned off so it doesn't have to modify anything
itself.  Haven't tried.

> Right now I have some MD5 some CRYPT and some SSHA floating about.  For
> reasons beyond my control, at this time, anyone who changes their
> password gets all three. Eventually I hope to move everyone to SSHA, but
> until then ppolicy cannot work for me.  It doesn't support the crazy
> multiple password entries per user thing I have going on.

Sounds like it would be useful for ppolicy to support that.  Would need
a ppolicy config option saying "assume multiple userPassword values are
different hashes of the same password".

> Realistically I don't expect to have to keep the multi-password hashes
> for long, but like any place... just because we should doesn't mean we
> wont wander off in the wrong direction.

So true:-(