Andris.Eiduks@tietoenator.com wrote:
Hi,
I try password history checking in OpenLDAP 2.3.32 and change user password using LDAP browser.
When I enterer repaeted cleartext password then ppolicy returned expected decline "Password is in history of old passwords". But by password changing to any encrypted value ( the same password two and more times) OpenLDAP doesn't verify old password.
In log-file I found similar info about password changing for both cases:
Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory: modify access granted Jan 18 13:25:15 KS-Test-1 slapd[5478]: acl: internal mod pwdHistory: modify access granted Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: delete pwdHistory Jan 18 13:25:15 KS-Test-1 slapd[5478]: bdb_modify_internal: add pwdHistory Jan 18 13:25:15 KS-Test-1 slapd[5478]: oc_check_allowed type "pwdHistory"
Slapd.conf : .... ....
moduleload ppolicy.la overlay ppolicy ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=trm" ppolicy_hash_cleartext ppolicy_use_lockout
Encrypted values can't be decrypted to check history. Ppolicy needs the cleartext password to save the history.
p.