[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ppolicy - password history

To: Andris.Eiduks@tietoenator.com
Subject: Re: Ppolicy - password history
From: Howard Chu <hyc@symas.com>
Date: Fri, 19 Jan 2007 00:21:37 -0800
Cc: ando@sys-net.it, openldap-software@openldap.org
In-reply-to: <1FABB43D1E997C49B412A3008386ADB9025EC23B@dino.eu.tieto.com>
References: <1FABB43D1E997C49B412A3008386ADB9025EC23B@dino.eu.tieto.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a2pre) Gecko/20070113 Netscape/7.2 (ax) Firefox/1.5 SeaMonkey/1.5a

Andris.Eiduks@tietoenator.com wrote:

Hi,

Very strange, because ppolicy by parameter ppolicy_hash_cleartext store
also encrypted password value.
Then where is the problem store recieved ecrypted passwords and also
check from pwdHistory this encrypted value?

The difference is that when the *server* encrypts it, it has a chance to validate the cleartext first. When the *client* encrypts it, no such opportunity exists for the server.

Otherwise we have a problem with PCI DSS requirements: 8.4 Encrypt all passwords during transmission and storage on all system components.

The obvious solution to meet this requirement is to make sure that all connections are encrypted (using TLS, SASL, or IPSEC).

8.5.12 Do not allow an individual to submit a new password that is the
same as any of the last
four passwords he or she has used
Andris

-----Original Message----- From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: Thursday, January 18, 2007 5:48 PM To: Eiduks Andris Cc: openldap-software@openldap.org Subject: Re: Ppolicy - password history

Andris.Eiduks@tietoenator.com wrote:
Hi,
I try password history checking in OpenLDAP 2.3.32 and change user password using LDAP browser.

When I enterer repaeted cleartext password then ppolicy returned expected decline "Password is in history of old passwords". But by password changing to any encrypted value ( the same password two and more times) OpenLDAP doesn't verify old password.

In log-file I found similar info about password changing for both cases:

Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory: modify access granted Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory: modify access granted Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: delete pwdHistory Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: add pwdHistory Jan 18 13:25:15 KS-Test-1 slapd[5478]: oc_check_allowed type "pwdHistory"
Slapd.conf :
....
....
moduleload ppolicy.la
overlay ppolicy
ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=trm"
ppolicy_hash_cleartext
ppolicy_use_lockout
Encrypted values can't be decrypted to check history.  Ppolicy needs the
cleartext password to save the history.
p.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

Follow-Ups:
- RE: Ppolicy - password history
  - From: <Andris.Eiduks@tietoenator.com>

References:
- RE: Ppolicy - password history
  - From: <Andris.Eiduks@tietoenator.com>

Prev by Date: RE: Ppolicy - password history
Next by Date: RE: Ppolicy - password history
Index(es):
- Chronological
- Thread