Re: Ppolicy - password history

Fri, 19 Jan 2007 00:26:38 -0800 

[EMAIL PROTECTED] wrote:
Hi, 
Very strange, because ppolicy by parameter ppolicy_hash_cleartext store
also encrypted password value.
Then where is the problem store recieved ecrypted passwords and also
check from pwdHistory this encrypted value?



The difference is that when the *server* encrypts it, it has a chance to 
validate the cleartext first. When the *client* encrypts it, no such 
opportunity exists for the server.



Otherwise we have a problem with PCI DSS requirements:

 
8.4 Encrypt all passwords during transmission and storage on all system

components.



The obvious solution to meet this requirement is to make sure that all 
connections are encrypted (using TLS, SASL, or IPSEC).


8.5.12 Do not allow an individual to submit a new password that is the
same as any of the last
four passwords he or she has used



Andris 


-----Original Message-----

From: Pierangelo Masarati [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 18, 2007 5:48 PM

To: Eiduks Andris
Cc: [email protected]
Subject: Re: Ppolicy - password history


[EMAIL PROTECTED] wrote:

Hi,


I try password history checking in OpenLDAP 2.3.32 and change user 
password using LDAP browser.



When I enterer repaeted cleartext password then ppolicy returned 
expected decline "Password is in history of old passwords". But by 
password changing to any encrypted value ( the same password two and 
more times) OpenLDAP doesn't verify old password.



In log-file I found similar info about password changing for both 
cases:



Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory: 
modify access granted Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: 
internal mod pwdHistory: modify access granted

Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: delete
pwdHistory
Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: add
pwdHistory
Jan 18 13:25:15 KS-Test-1 slapd[5478]: oc_check_allowed type
"pwdHistory"


Slapd.conf :
....
....

moduleload ppolicy.la
overlay ppolicy
ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=trm"
ppolicy_hash_cleartext
ppolicy_use_lockout


Encrypted values can't be decrypted to check history.  Ppolicy needs the

cleartext password to save the history.

p.






--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/






















					Reply via email to