On Mon, Sep 23, 2019 at 05:08:19PM +0200, Ond??ej Kuzn??k wrote:
> Hi Greg,
> thanks for both, I should merge that soon.
Wonderful, thank you. :-)
> On a side note, any ideas how to deal with ppolicy's pwdHistory here so
> it can reject changing the password to an old one? AFAIK using these
> schemas will prevent slap_passwd_check() from working and there isn't an
> obvious way to proceed.
I'm not familiar enough with how the ppolicy overlay hooks in
to say ATM. I'll poke at this a bit and see if anything comes
to mind... If the user is using the exop to set the password
we do have access to the plaintext reusable password stripped
of the OTP seed in the new hash_totp_and_pw() function, so if
there's something better than calling lutil_passwd_hash()
directly to restore this functionality I'd be perfectly fine
with that change. Though I'm guessing it won't be quite that
easy. ;-)
--
Greg Veldman