[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PAM authentication and PPolicy issues

On Wed, Jun 20, 2012 at 01:44:05PM +0000, Francesco Belli wrote:

> Now Iâm using http://
> www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=5&
> manpath=OpenLDAP+2.3-Release&format=html as reference for ppolicy. My

The 2.3 release series is very old now. You should be using 2.4 and
the 2.4 manuals:


> Iâm testing with SHA stored passwords the pwdInHistory directive.

SHA is much better than plaintext, but best practice is to use a
salted hash - SSHA in this case. The use of salt frustrates attempts
to build a dictionary to invert stolen password records. If LinkedIn
had used salt in their password hashes they would now be in less
trouble as a result of the recent disclosure...


|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |