Then do You recommend use only clearteaxt password from *client* side ?
And if *client" perform password encryption, then password history must be stored and compared by * client* side soft ?
Andris
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Subject: Re: Ppolicy - password history
Andris.Eiduks@tietoenator.com wrote:
Hi,
Very strange, because ppolicy by parameter ppolicy_hash_cleartext store also encrypted password value. Then where is the problem store recieved ecrypted passwords and also check from pwdHistory this encrypted value?
The difference is that when the *server* encrypts it, it has a chance to
validate the cleartext first. When the *client* encrypts it, no such opportunity exists for the server.
Otherwise we have a problem with PCI DSS requirements:
8.4 Encrypt all passwords during transmission and storage on all system components.
The obvious solution to meet this requirement is to make sure that all connections are encrypted (using TLS, SASL, or IPSEC).
8.5.12 Do not allow an individual to submit a new password that is the
same as any of the last four passwords he or she has used
Andris
-----Original Message----- From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: Thursday, January 18, 2007 5:48 PM To: Eiduks Andris Cc: openldap-software@openldap.org Subject: Re: Ppolicy - password history
Andris.Eiduks@tietoenator.com wrote:
Hi,
I try password history checking in OpenLDAP 2.3.32 and change user password using LDAP browser.
When I enterer repaeted cleartext password then ppolicy returned expected decline "Password is in history of old passwords". But by password changing to any encrypted value ( the same password two and more times) OpenLDAP doesn't verify old password.
In log-file I found similar info about password changing for both cases:
Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory: modify access granted Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory: modify access granted Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: delete pwdHistory Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: add pwdHistory Jan 18 13:25:15 KS-Test-1 slapd[5478]: oc_check_allowed type "pwdHistory"
Slapd.conf : .... ....
moduleload ppolicy.la overlay ppolicy ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=trm" ppolicy_hash_cleartext ppolicy_use_lockout
Encrypted values can't be decrypted to check history. Ppolicy needs the
cleartext password to save the history.
p.