Re: ppolicy: pwdInHistory attribute

To: Clément OUDOT <clem.oudot@gmail.com>

Subject: Re: ppolicy: pwdInHistory attribute

From: Esther Garcia <fulletverde@gmail.com>

Date: Thu, 19 Mar 2015 14:30:34 +0100

Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=j5qs1+oFh+qer2sn8cJqW59Qb27MvdK+Lr3wrpR+YeE=; b=dVshe+IKTHaMsBcB3cteQD0QKFMho5hGXQEO6UZ82/biKGFT/SFaI2+DZf4A+xgKiT Q4GrYqKmmlN9ClVs9zXdkB+h7Mn9LJVtqx2vPrQoNyhxqghhf249+DhC8YuP4agLhQV7 EFf8GJfR0z/l8/tQakVXuJYYvKQVwPLUzafsyfSG9VWlqNwXZQ0XwZK1BcFoQE4hA0hA Le+4iQew2vrDTelc2aMZXzTnDm4fh1kpuf9tIx84DSAqLsnFkvHpODs0WRRGtrijQhSl ivdDw9evswhBzph8cKsN2goVulokKg7ZGWaPoVtTbQ2J0RuXn4tqUgG2/I53FSnRnK/0 CtwQ==

In-reply-to: <CAK_oV4-Tb8ULywkvxbrmtoq1VYGxwJfuKzqqOCCtpCA_APQJsQ@mail.gmail.com>

References: <CAKS0CrbjJe-ZWxvo77LpPa3jPQ78oETVD0XBuammYfkFMQZ9UA@mail.gmail.com> <CAK_oV4_5PWuqq4B7Nk+38zMEx9DdTvyG=RjX0UTjoTXOXH9vSA@mail.gmail.com> <CAKS0CrajcueaozoNM_mV5k-E6tHb2p7szYwqLk-JzvK74c8rbQ@mail.gmail.com> <CAK_oV4-Tb8ULywkvxbrmtoq1VYGxwJfuKzqqOCCtpCA_APQJsQ@mail.gmail.com>

Thanks a lot for your help Clément, now it works :)

~]$ passwd
Changing password for user test1.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information update failed: Constraint violation
Password is in history of old passwords
passwd: Authentication token manipulation error

2015-03-19 12:50 GMT+01:00 Clément OUDOT <clem.oudot@gmail.com>:

2015-03-19 12:28 GMT+01:00 Esther Garcia <fulletverde@gmail.com>:
> Hi Clément,
>
> Thanks for your fast reply.
>
> Users change their passwords from a client using the passwd command.
>
> For example, we can see the pwdHistory entries for this test user:
>
> dn: uid=test1,ou=People,dc=test,dc=es
> structuralObjectClass: account
> entryUUID: 555c6cda-42b1-1031-9c5a-c117d5dee54e
> creatorsName: cn=Administrador,dc=test,dc=es
> createTimestamp: 20120604165154Z
> pwdHistory:
> 20150318163116Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$V1b0jbs
> R$lT.LD2PFakjfgg9d/BP2gY/
> pwdHistory:
> 20150318163144Z#1.3.6.1.4.1.1466.115.121.1.40#41#{CRYPT}$1$AdfsWnq
> p$6haOPh3AM6McehZPwwqig0
> pwdHistory:
> 20150318163236Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}LVhNB455UYC
> O8nljcwf7KVqOkjsDgUdjf
> pwdHistory:
> 20150318163324Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}YBWieVAaj6s
> QcrQNAqT7i2kmebQ2+k5s
> pwdHistory:
> 20150318163348Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$C5F1iK2
> y$0jk2K8skjjoKhGsBN5JUdsM1
> pwdChangedTime: 20150318163348Z
> entryCSN: 20150318163348.185046Z#000000#001#000000
> modifiersName: uid=test1,ou=People,dc=test,dc=es
> modifyTimestamp: 20150318163348Z
> entryDN: uid=test1,ou=People,dc=test,dc=es
> subschemaSubentry: cn=Subschema
> hasSubordinates: FALSE
>
> In this example, the pwdHistory entries with {CRYPT} passwords belong to the
> passwords changed by the user from the client (using the passwd command).
> And the entries with {SSHA} passwords belong to password changed from the
> LDAP server by the admin user.
>

You should configure your client to not crypt password. See
pam_password parameter in PAM LDAP configuration.

Clément.

References:

ppolicy: pwdInHistory attribute
- From: Esther Garcia <fulletverde@gmail.com>
Re: ppolicy: pwdInHistory attribute
- From: Clément OUDOT <clem.oudot@gmail.com>
Re: ppolicy: pwdInHistory attribute
- From: Esther Garcia <fulletverde@gmail.com>
Re: ppolicy: pwdInHistory attribute
- From: Clément OUDOT <clem.oudot@gmail.com>