[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy: pwdInHistory attribute

Thanks a lot for your help Clément, now it works :)

~]$ passwd
Changing password for user test1.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information update failed: Constraint violation
Password is in history of old passwords
passwd: Authentication token manipulation error

2015-03-19 12:50 GMT+01:00 Clément OUDOT <clem.oudot@gmail.com>:
2015-03-19 12:28 GMT+01:00 Esther Garcia <fulletverde@gmail.com>:
> Hi Clément,
> Thanks for your fast reply.
> Users change their passwords from a client using the passwd command.
> For example, we can see the pwdHistory entries for this test user:
> dn: uid=test1,ou=People,dc=test,dc=es
> structuralObjectClass: account
> entryUUID: 555c6cda-42b1-1031-9c5a-c117d5dee54e
> creatorsName: cn=Administrador,dc=test,dc=es
> createTimestamp: 20120604165154Z
> pwdHistory:
> 20150318163116Z#{crypt}$1$V1b0jbs
>  R$lT.LD2PFakjfgg9d/BP2gY/
> pwdHistory:
> 20150318163144Z#{CRYPT}$1$AdfsWnq
>  p$6haOPh3AM6McehZPwwqig0
> pwdHistory:
> 20150318163236Z#{SSHA}LVhNB455UYC
>  O8nljcwf7KVqOkjsDgUdjf
> pwdHistory:
> 20150318163324Z#{SSHA}YBWieVAaj6s
>  QcrQNAqT7i2kmebQ2+k5s
> pwdHistory:
> 20150318163348Z#{crypt}$1$C5F1iK2
>  y$0jk2K8skjjoKhGsBN5JUdsM1
> pwdChangedTime: 20150318163348Z
> entryCSN: 20150318163348.185046Z#000000#001#000000
> modifiersName: uid=test1,ou=People,dc=test,dc=es
> modifyTimestamp: 20150318163348Z
> entryDN: uid=test1,ou=People,dc=test,dc=es
> subschemaSubentry: cn=Subschema
> hasSubordinates: FALSE
> In this example, the pwdHistory entries with {CRYPT} passwords belong to the
> passwords changed by the user from the client (using the passwd command).
> And the entries with {SSHA} passwords belong to password changed from the
> LDAP server by the admin user.

You should configure your client to not crypt password. See
pam_password parameter in PAM LDAP configuration.