[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Ppolicy - password history

To: <hyc@symas.com>
Subject: RE: Ppolicy - password history
From: <Andris.Eiduks@tietoenator.com>
Date: Fri, 19 Jan 2007 10:32:25 +0200
Cc: openldap-software@openldap.org
Content-class: urn:content-classes:message
In-reply-to: <45B07F91.1020007@symas.com>
Thread-index: Acc7ouO00tkzXHN/TPur+52fYb1h6gAALVHA
Thread-topic: Ppolicy - password history


Then do You recommend use only clearteaxt password from *client* side ?

And if *client" perform password encryption, then password history must
be stored and compared by * client* side soft ?


Andris 




-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Subject: Re: Ppolicy - password history


Andris.Eiduks@tietoenator.com wrote:
> Hi,
> 
> Very strange, because ppolicy by parameter ppolicy_hash_cleartext 
> store also encrypted password value. Then where is the problem store 
> recieved ecrypted passwords and also check from pwdHistory this 
> encrypted value?

The difference is that when the *server* encrypts it, it has a chance to

validate the cleartext first. When the *client* encrypts it, no such 
opportunity exists for the server.

> Otherwise we have a problem with PCI DSS requirements:
>  
> 8.4 Encrypt all passwords during transmission and storage on all 
> system components.

The obvious solution to meet this requirement is to make sure that all 
connections are encrypted (using TLS, SASL, or IPSEC).
> 
> 8.5.12 Do not allow an individual to submit a new password that is the

> same as any of the last four passwords he or she has used
> 
> 
> Andris
> 
> -----Original Message-----
> From: Pierangelo Masarati [mailto:ando@sys-net.it]
> Sent: Thursday, January 18, 2007 5:48 PM
> To: Eiduks Andris
> Cc: openldap-software@openldap.org
> Subject: Re: Ppolicy - password history
> 
> 
> Andris.Eiduks@tietoenator.com wrote:
>> Hi,
>>
>> I try password history checking in OpenLDAP 2.3.32 and change user
>> password using LDAP browser.
>>
>> When I enterer repaeted cleartext password then ppolicy returned
>> expected decline "Password is in history of old passwords". But by 
>> password changing to any encrypted value ( the same password two and 
>> more times) OpenLDAP doesn't verify old password.
>>
>> In log-file I found similar info about password changing for both
>> cases:
>>
>> Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory:
>> modify access granted Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: 
>> internal mod pwdHistory: modify access granted
>> Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: delete
>> pwdHistory
>> Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: add
>> pwdHistory
>> Jan 18 13:25:15 KS-Test-1 slapd[5478]: oc_check_allowed type
>> "pwdHistory"
>>
>>
>> Slapd.conf :
>> ....
>> ....
>>
>> moduleload ppolicy.la
>> overlay ppolicy
>> ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=trm"
>> ppolicy_hash_cleartext
>> ppolicy_use_lockout
> 
> Encrypted values can't be decrypted to check history.  Ppolicy needs 
> the
> 
> cleartext password to save the history.
> 
> p.
> 
> 
> 


-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/

Follow-Ups:
- Re: Ppolicy - password history
  - From: Howard Chu <hyc@symas.com>
- Re: Ppolicy - password history
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

References:
- Re: Ppolicy - password history
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Ppolicy - password history
Next by Date: Re: Ppolicy - password history
Index(es):
- Chronological
- Thread