[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy: pwdInHistory attribute

Hi Clément,

Thanks for your fast reply.

Users change their passwords from a client using the passwd command.

For example, we can see the pwdHistory entries for this test user:

dn: uid=test1,ou=People,dc=test,dc=es
structuralObjectClass: account
entryUUID: 555c6cda-42b1-1031-9c5a-c117d5dee54e
creatorsName: cn=Administrador,dc=test,dc=es
createTimestamp: 20120604165154Z
pwdHistory: 20150318163116Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$V1b0jbs
 R$lT.LD2PFakjfgg9d/BP2gY/
pwdHistory: 20150318163144Z#1.3.6.1.4.1.1466.115.121.1.40#41#{CRYPT}$1$AdfsWnq
 p$6haOPh3AM6McehZPwwqig0
pwdHistory: 20150318163236Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}LVhNB455UYC
 O8nljcwf7KVqOkjsDgUdjf
pwdHistory: 20150318163324Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}YBWieVAaj6s
 QcrQNAqT7i2kmebQ2+k5s
pwdHistory: 20150318163348Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$C5F1iK2
 y$0jk2K8skjjoKhGsBN5JUdsM1
pwdChangedTime: 20150318163348Z
entryCSN: 20150318163348.185046Z#000000#001#000000
modifiersName: uid=test1,ou=People,dc=test,dc=es
modifyTimestamp: 20150318163348Z
entryDN: uid=test1,ou=People,dc=test,dc=es
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

In this example, the pwdHistory entries with {CRYPT} passwords belong to the passwords changed by the user from the client (using the passwd command).
And the entries with {SSHA} passwords belong to password changed from the LDAP server by the admin user.

Thanks for your help,
Esther

2015-03-19 8:51 GMT+01:00 Clément OUDOT <clem.oudot@gmail.com>:
2015-03-18 18:21 GMT+01:00 Esther Garcia <fulletverde@gmail.com>:
> Hello,
>
> We have installed an openldap server 2.4.23-34 on RHEL 6.5 with ppolicy
> enabled.
>
> # Standard, Policies
> dn: cn=Standard,ou=Policies,dc=test,dc=es
> cn: Standard
> description: Standard password policy.
> pwdAttribute: userPassword
> pwdCheckQuality: 1
> pwdMinLength: 8
> pwdLockout: TRUE
> pwdMustChange: TRUE
> pwdAllowUserChange: TRUE
> objectClass: device
> objectClass: pwdPolicy
> pwdSafeModify: FALSE
> pwdFailureCountInterval: 3
> pwdGraceAuthNLimit: 0
> pwdLockoutDuration: 1200
> pwdMaxFailure: 10
> pwdMinAge: 10
> pwdMaxAge: 31536000
> pwdExpireWarning: 0
> pwdInHistory: 5
>
>
> All ppolicy attributtes except pwdInHistory are working. We store passwords
> encrypted in the directory.
>
> Is there any way to have pwdInHistory attribute working with encrypted
> passwords stored in the directory?
>

It won't work if the password modification is done with an encrypted
password, or when it is done as rootdn. Are you in one of this case?

Moreover, your version is quite old and you are encouraged to upgrade.


Clément.