[Date Prev][Date Next]
Re: OpenLDAP Issues
On Monday, 28 June 2010 16:43:34 Allgood, John wrote:
> Hey All
> Does anyone know why when I change pam_password exop in /etc/ldap.conf my
> password history and check_password module that I built into ppolicy stop
Define "stop working". Is it not updating password history attributes? Or, is
it not preventing you from using passwords from when they were being hashed on
the client side?
Was this working (as you claimed) correctly, with these two features, when you
changed your password with ldappasswd?
It could be that your default server hash (please check the hash on passwords
changed via pam_ldap with 'pam_password exop', or by ldappasswd) may not be
md5, in which case, your new password hashes will be different to the old ones,
even if the passwords are the same .....
Either correct your 'password-hash' in slapd.conf, restart, test etc., or
stick with your current config, and ensure you're not testing against any old
(md5) password hashes (in password histories).
> This is openldap 2.4.21 built from source running on Centos 5.5.
> It worked fine when I had pam_password md5.
Well, note that in this case, the server would never see the clear-text, so a
check_password module would not be able to do very much ...