Hi there,

I'm hoping someone can help me find the password history entries for
a particular user.

The policy is set up to store 10 passwords. Changing the password
confirmS that the history works properly.

From what I've found online I was lead to believe that the history
entries are stored in krbPwdHistory and that I should be able to
access those entries as 'Directory Manager' without restrictions.

https://www.redhat.com/archives/freeipa-users/2013-July/msg00166.html

However this attribute doesn't show up. Searching the database I
found the appropriate entry in the policy (krbPwdHistoryLength) for
how many passwords are stored but not the password history attribute
itself.

I've been searching the database for a specific user like this:
ldapsearch -x -D 'cn=Directory Manager' -W -b
'uid=frink,cn=users,cn=accounts,dc=example,dc=com'

and also searched the whole domain (default base):
ldapsearch -x -D 'cn=Directory Manager' -W

I've also compared the output of the whole domain prior and post to
changing a users password. The attributes that changed did not
include an obvious history element (unless there is some kind of
magic involved).

Some more details about the setup:
ipa-server-4.4.0-14.el7.centos.6.x86_64, obviously running on CentOS 7.

I would highly appreciate any pointers as to where I could find the
history of password hashes!

Thanks!
Richard

-- 
/dev/null

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to