[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy: pwdInHistory attribute

Hi Clément,

Thanks for your fast reply.

Users change their passwords from a client using the passwd command.

For example, we can see the pwdHistory entries for this test user:

dn: uid=test1,ou=People,dc=test,dc=es
structuralObjectClass: account
entryUUID: 555c6cda-42b1-1031-9c5a-c117d5dee54e
creatorsName: cn=Administrador,dc=test,dc=es
createTimestamp: 20120604165154Z
pwdHistory: 20150318163116Z#{crypt}$1$V1b0jbs
pwdHistory: 20150318163144Z#{CRYPT}$1$AdfsWnq
pwdHistory: 20150318163236Z#{SSHA}LVhNB455UYC
pwdHistory: 20150318163324Z#{SSHA}YBWieVAaj6s
pwdHistory: 20150318163348Z#{crypt}$1$C5F1iK2
pwdChangedTime: 20150318163348Z
entryCSN: 20150318163348.185046Z#000000#001#000000
modifiersName: uid=test1,ou=People,dc=test,dc=es
modifyTimestamp: 20150318163348Z
entryDN: uid=test1,ou=People,dc=test,dc=es
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

In this example, the pwdHistory entries with {CRYPT} passwords belong to the passwords changed by the user from the client (using the passwd command).
And the entries with {SSHA} passwords belong to password changed from the LDAP server by the admin user.

Thanks for your help,

2015-03-19 8:51 GMT+01:00 Clément OUDOT <clem.oudot@gmail.com>:
2015-03-18 18:21 GMT+01:00 Esther Garcia <fulletverde@gmail.com>:
> Hello,
> We have installed an openldap server 2.4.23-34 on RHEL 6.5 with ppolicy
> enabled.
> # Standard, Policies
> dn: cn=Standard,ou=Policies,dc=test,dc=es
> cn: Standard
> description: Standard password policy.
> pwdAttribute: userPassword
> pwdCheckQuality: 1
> pwdMinLength: 8
> pwdLockout: TRUE
> pwdMustChange: TRUE
> pwdAllowUserChange: TRUE
> objectClass: device
> objectClass: pwdPolicy
> pwdSafeModify: FALSE
> pwdFailureCountInterval: 3
> pwdGraceAuthNLimit: 0
> pwdLockoutDuration: 1200
> pwdMaxFailure: 10
> pwdMinAge: 10
> pwdMaxAge: 31536000
> pwdExpireWarning: 0
> pwdInHistory: 5
> All ppolicy attributtes except pwdInHistory are working. We store passwords
> encrypted in the directory.
> Is there any way to have pwdInHistory attribute working with encrypted
> passwords stored in the directory?

It won't work if the password modification is done with an encrypted
password, or when it is done as rootdn. Are you in one of this case?

Moreover, your version is quite old and you are encouraged to upgrade.