[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Ppolicy - password history
Then do You recommend use only clearteaxt password from *client* side ?
And if *client" perform password encryption, then password history must
be stored and compared by * client* side soft ?
Andris
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Subject: Re: Ppolicy - password history
Andris.Eiduks@tietoenator.com wrote:
> Hi,
>
> Very strange, because ppolicy by parameter ppolicy_hash_cleartext
> store also encrypted password value. Then where is the problem store
> recieved ecrypted passwords and also check from pwdHistory this
> encrypted value?
The difference is that when the *server* encrypts it, it has a chance to
validate the cleartext first. When the *client* encrypts it, no such
opportunity exists for the server.
> Otherwise we have a problem with PCI DSS requirements:
>
> 8.4 Encrypt all passwords during transmission and storage on all
> system components.
The obvious solution to meet this requirement is to make sure that all
connections are encrypted (using TLS, SASL, or IPSEC).
>
> 8.5.12 Do not allow an individual to submit a new password that is the
> same as any of the last four passwords he or she has used
>
>
> Andris
>
> -----Original Message-----
> From: Pierangelo Masarati [mailto:ando@sys-net.it]
> Sent: Thursday, January 18, 2007 5:48 PM
> To: Eiduks Andris
> Cc: openldap-software@openldap.org
> Subject: Re: Ppolicy - password history
>
>
> Andris.Eiduks@tietoenator.com wrote:
>> Hi,
>>
>> I try password history checking in OpenLDAP 2.3.32 and change user
>> password using LDAP browser.
>>
>> When I enterer repaeted cleartext password then ppolicy returned
>> expected decline "Password is in history of old passwords". But by
>> password changing to any encrypted value ( the same password two and
>> more times) OpenLDAP doesn't verify old password.
>>
>> In log-file I found similar info about password changing for both
>> cases:
>>
>> Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory:
>> modify access granted Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl:
>> internal mod pwdHistory: modify access granted
>> Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: delete
>> pwdHistory
>> Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: add
>> pwdHistory
>> Jan 18 13:25:15 KS-Test-1 slapd[5478]: oc_check_allowed type
>> "pwdHistory"
>>
>>
>> Slapd.conf :
>> ....
>> ....
>>
>> moduleload ppolicy.la
>> overlay ppolicy
>> ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=trm"
>> ppolicy_hash_cleartext
>> ppolicy_use_lockout
>
> Encrypted values can't be decrypted to check history. Ppolicy needs
> the
>
> cleartext password to save the history.
>
> p.
>
>
>
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/