ppolicy: pwdInHistory attribute

To: openldap-technical@openldap.org

Subject: ppolicy: pwdInHistory attribute

From: Esther Garcia <fulletverde@gmail.com>

Date: Wed, 18 Mar 2015 18:21:48 +0100

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=IiUCWE75exLIRUrdMr4/g2PkUfxlSVSpRCK4VVcbWDg=; b=iOKVEkelM/SmuWUbBE3WGviGnlLtmZwKEoB0BZDC/vlriPP21VnIeTZohcEtxXJSQr U6sdBPaCuxL/fV5vhmgCFv29s5DODoWDeot+Bx/5do3EOw7HoaRfnNLNHX2zv9WL7gYE vSWirtU2Rd0dbgppRsXUZBzEQwG00Jua48FwNzvWG93nlHxWNpYqg79DHDLJMZ7K7xLk Xq6NPQw9YaPKu7Z2D/wuNWq1B99AXlzdOokBPJ8Bt+lZB9PVUGIH6Oh5p+3KqhduJewt QDaVRgW2WqzUUeIu2qduxftbBF+1WmkQ3AmXuopWfytIzorSs8g0QV2ARbyDrcE374Mc jWig==

Hello,

We have installed an openldap server 2.4.23-34 on RHEL 6.5 with ppolicy enabled.

# Standard, Policies
dn: cn=Standard,ou=Policies,dc=test,dc=es
cn: Standard
description: Standard password policy.
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdMinLength: 8
pwdLockout: TRUE
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
objectClass: device
objectClass: pwdPolicy
pwdSafeModify: FALSE
pwdFailureCountInterval: 3
pwdGraceAuthNLimit: 0
pwdLockoutDuration: 1200
pwdMaxFailure: 10
pwdMinAge: 10
pwdMaxAge: 31536000
pwdExpireWarning: 0
pwdInHistory: 5

All ppolicy attributtes except pwdInHistory are working. We store passwords encrypted in the directory.

Is there any way to have pwdInHistory attribute working with encrypted passwords stored in the directory?

Thanks!

Esther

Follow-Ups:

Re: ppolicy: pwdInHistory attribute
- From: Clément OUDOT <clem.oudot@gmail.com>