Re: OpenLDAP Issues

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Monday, 28 June 2010 16:43:34 Allgood, John wrote:
> Hey All
> 
> Does anyone know why when I change pam_password exop in /etc/ldap.conf my
>  password history and check_password module that I built into ppolicy stop
>  working.

Define "stop working". Is it not updating password history attributes? Or, is 
it not preventing you from using passwords from when they were being hashed on 
the client side?

Was this working (as you claimed) correctly, with these two features, when you 
changed your password with ldappasswd?

It could be that your default server hash (please check the hash on passwords 
changed via pam_ldap with 'pam_password exop', or by ldappasswd) may not be 
md5, in which case, your new password hashes will be different to the old ones, 
even if the passwords are the same .....

Either correct your 'password-hash' in slapd.conf, restart, test etc., or 
stick with your current config, and ensure you're not testing against any old 
(md5) password hashes (in password histories).

>  This is openldap 2.4.21 built from source running on Centos 5.5.
>  It worked fine when I had pam_password md5.

Well, note that in this case, the server would never see the clear-text, so a 
check_password module would not be able to do very much ...

Regards,
Buchan