Then do You recommend use only clearteaxt password from *client* side ?
And if *client" perform password encryption, then password history must be stored and compared by * client* side soft ? Andris -----Original Message----- From: Howard Chu [mailto:[EMAIL PROTECTED] Subject: Re: Ppolicy - password history [EMAIL PROTECTED] wrote: > Hi, > > Very strange, because ppolicy by parameter ppolicy_hash_cleartext > store also encrypted password value. Then where is the problem store > recieved ecrypted passwords and also check from pwdHistory this > encrypted value? The difference is that when the *server* encrypts it, it has a chance to validate the cleartext first. When the *client* encrypts it, no such opportunity exists for the server. > Otherwise we have a problem with PCI DSS requirements: > > 8.4 Encrypt all passwords during transmission and storage on all > system components. The obvious solution to meet this requirement is to make sure that all connections are encrypted (using TLS, SASL, or IPSEC). > > 8.5.12 Do not allow an individual to submit a new password that is the > same as any of the last four passwords he or she has used > > > Andris > > -----Original Message----- > From: Pierangelo Masarati [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 18, 2007 5:48 PM > To: Eiduks Andris > Cc: [email protected] > Subject: Re: Ppolicy - password history > > > [EMAIL PROTECTED] wrote: >> Hi, >> >> I try password history checking in OpenLDAP 2.3.32 and change user >> password using LDAP browser. >> >> When I enterer repaeted cleartext password then ppolicy returned >> expected decline "Password is in history of old passwords". But by >> password changing to any encrypted value ( the same password two and >> more times) OpenLDAP doesn't verify old password. >> >> In log-file I found similar info about password changing for both >> cases: >> >> Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory: >> modify access granted Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: >> internal mod pwdHistory: modify access granted >> Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: delete >> pwdHistory >> Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: add >> pwdHistory >> Jan 18 13:25:15 KS-Test-1 slapd[5478]: oc_check_allowed type >> "pwdHistory" >> >> >> Slapd.conf : >> .... >> .... >> >> moduleload ppolicy.la >> overlay ppolicy >> ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=trm" >> ppolicy_hash_cleartext >> ppolicy_use_lockout > > Encrypted values can't be decrypted to check history. Ppolicy needs > the > > cleartext password to save the history. > > p. > > > -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
