On Mon, Sep 23, 2019 at 05:08:19PM +0200, Ond??ej Kuzn??k wrote:
Hi Greg, thanks for both, I should merge that soon.
Wonderful, thank you. :-)
On a side note, any ideas how to deal with ppolicy's pwdHistory here so it can reject changing the password to an old one? AFAIK using these schemas will prevent slap_passwd_check() from working and there isn't an obvious way to proceed.
I'm not familiar enough with how the ppolicy overlay hooks in to say ATM. I'll poke at this a bit and see if anything comes to mind... If the user is using the exop to set the password we do have access to the plaintext reusable password stripped of the OTP seed in the new hash_totp_and_pw() function, so if there's something better than calling lutil_passwd_hash() directly to restore this functionality I'd be perfectly fine with that change. Though I'm guessing it won't be quite that easy. ;-)