[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Ppolicy - password history
Hi,
Very strange, because ppolicy by parameter ppolicy_hash_cleartext store
also encrypted password value.
Then where is the problem store recieved ecrypted passwords and also
check from pwdHistory this encrypted value?
Otherwise we have a problem with PCI DSS requirements:
8.4 Encrypt all passwords during transmission and storage on all system
components.
8.5.12 Do not allow an individual to submit a new password that is the
same as any of the last
four passwords he or she has used
Andris
-----Original Message-----
From: Pierangelo Masarati [mailto:ando@sys-net.it]
Sent: Thursday, January 18, 2007 5:48 PM
To: Eiduks Andris
Cc: openldap-software@openldap.org
Subject: Re: Ppolicy - password history
Andris.Eiduks@tietoenator.com wrote:
> Hi,
>
> I try password history checking in OpenLDAP 2.3.32 and change user
> password using LDAP browser.
>
> When I enterer repaeted cleartext password then ppolicy returned
> expected decline "Password is in history of old passwords". But by
> password changing to any encrypted value ( the same password two and
> more times) OpenLDAP doesn't verify old password.
>
> In log-file I found similar info about password changing for both
> cases:
>
> Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory:
> modify access granted Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl:
> internal mod pwdHistory: modify access granted
> Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: delete
> pwdHistory
> Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: add
> pwdHistory
> Jan 18 13:25:15 KS-Test-1 slapd[5478]: oc_check_allowed type
> "pwdHistory"
>
>
> Slapd.conf :
> ....
> ....
>
> moduleload ppolicy.la
> overlay ppolicy
> ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=trm"
> ppolicy_hash_cleartext
> ppolicy_use_lockout
Encrypted values can't be decrypted to check history. Ppolicy needs the
cleartext password to save the history.
p.