[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pwdInHistory question

On Friday, 6 May 2011 00:11:32 Bidwell, Matt wrote:
> I'm running OpenLDAP 2.5.24 on 2 servers.  I'm trying to enforce some
> security rules on client machines through the ppolicy overlay.  All the
> lockout stuff works fine.  I understand that pwdMinLength will not work by
> design because the password is hashed.

This statement isn't true. If OpenLDAP receives the clear text password, 
length/content enforcements can be made. However, if your clients are sending 
the password hashed, it obviously can't.

You can either get your clients to use the Password Modify extended operation 
(e.g. with pam_ldap use 'pam_password exop'), or if your clients can send a 
modify with the userPassword unhashed, then you can use 
'ppolicy_hash_cleartext yes' in slapd.conf.

> I can't get pwdInHistory to work.
> If I set it to 5 I clearly see 5 pwdHistory entries, all hashed {crypt},
> but I can go back and forth between two passwords without it rejecting
> them for being reused.  My current theory is that it's not looking at the
> actual password to prevent reuse, but the hashed password, which is not
> going to be the same.  Should it be working? Follow up question, shouldn't
> the password be stored {SSHA} and not {CRYPT} by default?

It will be hashed with whatever you have set with 'password-hash', which 
defaults to SSHA, *if* the server receives a password modify extended 
operation, or if the server receives the cleartext and has 
'ppolicy_hash_cleartext'. If password-hash is not {CRYPT}, then most likely 
your clients are sending operations with pre-hashed passwords.

> Just to be
> clear, the password is being set on the client machine using passwd, not
> on the servers running OpenLDAP.

*Where* they are being set isn't that relevant, what software is doing it, and 
how it is configured, is more ...