[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ppolicy - password history



Andris.Eiduks@tietoenator.com wrote:
Hi,

Very strange, because ppolicy by parameter ppolicy_hash_cleartext store
also encrypted password value.
Then where is the problem store recieved ecrypted passwords and also
check from pwdHistory this encrypted value?

The difference is that when the *server* encrypts it, it has a chance to validate the cleartext first. When the *client* encrypts it, no such opportunity exists for the server.


Otherwise we have a problem with PCI DSS requirements:
8.4 Encrypt all passwords during transmission and storage on all system
components.

The obvious solution to meet this requirement is to make sure that all connections are encrypted (using TLS, SASL, or IPSEC).

8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used


Andris


-----Original Message-----
From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: Thursday, January 18, 2007 5:48 PM
To: Eiduks Andris
Cc: openldap-software@openldap.org
Subject: Re: Ppolicy - password history



Andris.Eiduks@tietoenator.com wrote:
Hi,

I try password history checking in OpenLDAP 2.3.32 and change user password using LDAP browser.

When I enterer repaeted cleartext password then ppolicy returned expected decline "Password is in history of old passwords". But by password changing to any encrypted value ( the same password two and more times) OpenLDAP doesn't verify old password.

In log-file I found similar info about password changing for both cases:

Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory: modify access granted Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory: modify access granted
Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: delete
pwdHistory
Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: add
pwdHistory
Jan 18 13:25:15 KS-Test-1 slapd[5478]: oc_check_allowed type
"pwdHistory"



Slapd.conf : .... ....

moduleload ppolicy.la
overlay ppolicy
ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=trm"
ppolicy_hash_cleartext
ppolicy_use_lockout

Encrypted values can't be decrypted to check history. Ppolicy needs the

cleartext password to save the history.

p.





--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/