Pat Riehecky writes:
In the long run I would love to use ppolicy for this, but (...)
OK, overlay accesslog for both Bind and updates then. Then regularly pull updates out from the accesslog database. Or accesslog for Bind and auditlog for updates. Or if you want an overlay which does this, auditlog + accesslog's Bind recognition should provide a good template.
Unless ppolicy does support just recording multi-value changes, as long as expiry and so on is turned off so it doesn't have to modify anything itself. Haven't tried.
Right now I have some MD5 some CRYPT and some SSHA floating about. For reasons beyond my control, at this time, anyone who changes their password gets all three. Eventually I hope to move everyone to SSHA, but until then ppolicy cannot work for me. It doesn't support the crazy multiple password entries per user thing I have going on.
Sounds like it would be useful for ppolicy to support that. Would need a ppolicy config option saying "assume multiple userPassword values are different hashes of the same password".
Realistically I don't expect to have to keep the multi-password hashes for long, but like any place... just because we should doesn't mean we wont wander off in the wrong direction.
So true:-(