Hi Clément,
Thanks for your fast reply.
Users change their passwords from a client using the passwd command.
For example, we can see the pwdHistory entries for this test user:
dn: uid=test1,ou=People,dc=test,dc=es
structuralObjectClass: account
entryUUID: 555c6cda-42b1-1031-9c5a-c117d5dee54e
creatorsName: cn=Administrador,dc=test,dc=es
createTimestamp: 20120604165154Z
pwdHistory:
20150318163116Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$V1b0jbs
R$lT.LD2PFakjfgg9d/BP2gY/
pwdHistory:
20150318163144Z#1.3.6.1.4.1.1466.115.121.1.40#41#{CRYPT}$1$AdfsWnq
p$6haOPh3AM6McehZPwwqig0
pwdHistory:
20150318163236Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}LVhNB455UYC
O8nljcwf7KVqOkjsDgUdjf
pwdHistory:
20150318163324Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}YBWieVAaj6s
QcrQNAqT7i2kmebQ2+k5s
pwdHistory:
20150318163348Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$C5F1iK2
y$0jk2K8skjjoKhGsBN5JUdsM1
pwdChangedTime: 20150318163348Z
entryCSN: 20150318163348.185046Z#000000#001#000000
modifiersName: uid=test1,ou=People,dc=test,dc=es
modifyTimestamp: 20150318163348Z
entryDN: uid=test1,ou=People,dc=test,dc=es
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
In this example, the pwdHistory entries with {CRYPT} passwords belong to
the passwords changed by the user from the client (using the passwd
command).
And the entries with {SSHA} passwords belong to password changed from the
LDAP server by the admin user.
Thanks for your help,
Esther
2015-03-19 8:51 GMT+01:00 Clément OUDOT <[email protected]>:
> 2015-03-18 18:21 GMT+01:00 Esther Garcia <[email protected]>:
> > Hello,
> >
> > We have installed an openldap server 2.4.23-34 on RHEL 6.5 with ppolicy
> > enabled.
> >
> > # Standard, Policies
> > dn: cn=Standard,ou=Policies,dc=test,dc=es
> > cn: Standard
> > description: Standard password policy.
> > pwdAttribute: userPassword
> > pwdCheckQuality: 1
> > pwdMinLength: 8
> > pwdLockout: TRUE
> > pwdMustChange: TRUE
> > pwdAllowUserChange: TRUE
> > objectClass: device
> > objectClass: pwdPolicy
> > pwdSafeModify: FALSE
> > pwdFailureCountInterval: 3
> > pwdGraceAuthNLimit: 0
> > pwdLockoutDuration: 1200
> > pwdMaxFailure: 10
> > pwdMinAge: 10
> > pwdMaxAge: 31536000
> > pwdExpireWarning: 0
> > pwdInHistory: 5
> >
> >
> > All ppolicy attributtes except pwdInHistory are working. We store
> passwords
> > encrypted in the directory.
> >
> > Is there any way to have pwdInHistory attribute working with encrypted
> > passwords stored in the directory?
> >
>
> It won't work if the password modification is done with an encrypted
> password, or when it is done as rootdn. Are you in one of this case?
>
> Moreover, your version is quite old and you are encouraged to upgrade.
>
>
> Clément.
>
