[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5285) password policy checks userPassword hash even without policies

mbackes@symas.com wrote:
> Full_Name: Matthew Backes
> Version: 2.3, 2.4, head, etc
> OS: all
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> When receiving a new userPassword, slapo-ppolicy checks to see if that password
> matches the hash already present in userPassword, and disallows it if this is
> the case.
> This is a sensible default for most circumstances, as otherwise the user could
> reset their age counters by using the same password.
> Unfortunately, it also blocks arguably-legitimate password changes; e.g. when
> migration to SSHA from CRYPT where the first 8 chars of the new password match
> the old.
> This patch changes this userPassword-has-changed check to only apply if there is
> a password policy defined which requires it; in particular, any of pwdInHistory,
> pwdMinAge, pwdMaxAge, pwdCheckQuality, or pwdMustChange must apply for this
> check to be enforced.

Rereading draft-behera, it says

5.2.4  pwdInHistory

    This attribute specifies the maximum number of used passwords stored
    in the pwdHistory attribute.

    If this attribute is not present, or if the value is 0, used
    passwords are not stored in the pwdHistory attribute and thus may be

As such the test can be simplified. Committing to HEAD.
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/