Hi, Very strange, because ppolicy by parameter ppolicy_hash_cleartext store also encrypted password value. Then where is the problem store recieved ecrypted passwords and also check from pwdHistory this encrypted value?
Otherwise we have a problem with PCI DSS requirements: 8.4 Encrypt all passwords during transmission and storage on all system components. 8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used Andris -----Original Message----- From: Pierangelo Masarati [mailto:[EMAIL PROTECTED] Sent: Thursday, January 18, 2007 5:48 PM To: Eiduks Andris Cc: [email protected] Subject: Re: Ppolicy - password history [EMAIL PROTECTED] wrote: > Hi, > > I try password history checking in OpenLDAP 2.3.32 and change user > password using LDAP browser. > > When I enterer repaeted cleartext password then ppolicy returned > expected decline "Password is in history of old passwords". But by > password changing to any encrypted value ( the same password two and > more times) OpenLDAP doesn't verify old password. > > In log-file I found similar info about password changing for both > cases: > > Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory: > modify access granted Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: > internal mod pwdHistory: modify access granted > Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: delete > pwdHistory > Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: add > pwdHistory > Jan 18 13:25:15 KS-Test-1 slapd[5478]: oc_check_allowed type > "pwdHistory" > > > Slapd.conf : > .... > .... > > moduleload ppolicy.la > overlay ppolicy > ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=trm" > ppolicy_hash_cleartext > ppolicy_use_lockout Encrypted values can't be decrypted to check history. Ppolicy needs the cleartext password to save the history. p.
