I'm running OpenLDAP 2.5.24 on 2 servers. I'm trying to enforce some security
rules on client machines through the ppolicy overlay. All the lockout stuff
works fine. I understand that pwdMinLength will not work by design because the
password is hashed. I can't get pwdInHistory to work. If I set it to 5 I
clearly see 5 pwdHistory entries, all hashed {crypt}, but I can go back and
forth between two passwords without it rejecting them for being reused. My
current theory is that it's not looking at the actual password to prevent
reuse, but the hashed password, which is not going to be the same. Should it
be working? Follow up question, shouldn't the password be stored {SSHA} and not
{CRYPT} by default? Just to be clear, the password is being set on the client
machine using passwd, not on the servers running OpenLDAP.
Matt
