[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP Issues

Hey Mike

Thanks for the response. When pam_password was set equal to md5 the only issue I had was with changing the password it was suggested that I switch to exop so I could use passwd to change the password instead of ldappasswd. With the password history and and strength testing I had testing this thoroughly with md5 and when I switched to exop I could see the attributes getting updated but I did not seem to matter. I think it is definitely something to do with the hashes. Here is the ppolicy lines in my slapd.conf file. Any other information I can provide just let me know.

overlay ppolicy
ppolicy_default cn=default,ou=policies,dc=turbocorp,dc=com

John Allgood
Senior Systems Administrator
OHL Transportation Services
2251 Jesse Jewell Pky. NE
Gainesville, GA 30507
tel: (678) 989-3051  fax: (770) 531-7878


> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net]
> Sent: Monday, June 28, 2010 5:15 PM
> To: openldap-technical@openldap.org
> Cc: Allgood, John
> Subject: Re: OpenLDAP Issues
> On Monday, 28 June 2010 16:43:34 Allgood, John wrote:
> > Hey All
> >
> > Does anyone know why when I change pam_password exop in
> /etc/ldap.conf my
> >  password history and check_password module that I built into ppolicy
> stop
> >  working.
> Define "stop working". Is it not updating password history attributes?
> Or, is
> it not preventing you from using passwords from when they were being
> hashed on
> the client side?
> Was this working (as you claimed) correctly, with these two features,
> when you
> changed your password with ldappasswd?
> It could be that your default server hash (please check the hash on
> passwords
> changed via pam_ldap with 'pam_password exop', or by ldappasswd) may
> not be
> md5, in which case, your new password hashes will be different to the
> old ones,
> even if the passwords are the same .....
> Either correct your 'password-hash' in slapd.conf, restart, test etc.,
> or
> stick with your current config, and ensure you're not testing against
> any old
> (md5) password hashes (in password histories).
> >  This is openldap 2.4.21 built from source running on Centos 5.5.
> >  It worked fine when I had pam_password md5.
> Well, note that in this case, the server would never see the clear-
> text, so a
> check_password module would not be able to do very much ...
> Regards,
> Buchan


This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.