Hi Clément,
Thanks for your fast reply.
Users change their passwords from a client using the passwd command.
For example, we can see the pwdHistory entries for this test user:
dn: uid=test1,ou=People,dc=test,dc=es structuralObjectClass: account entryUUID: 555c6cda-42b1-1031-9c5a-c117d5dee54e creatorsName: cn=Administrador,dc=test,dc=es createTimestamp: 20120604165154Z pwdHistory: 20150318163116Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$V1b0jbs R$lT.LD2PFakjfgg9d/BP2gY/ pwdHistory: 20150318163144Z#1.3.6.1.4.1.1466.115.121.1.40#41#{CRYPT}$1$AdfsWnq p$6haOPh3AM6McehZPwwqig0 pwdHistory: 20150318163236Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}LVhNB455UYC O8nljcwf7KVqOkjsDgUdjf pwdHistory: 20150318163324Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}YBWieVAaj6s QcrQNAqT7i2kmebQ2+k5s pwdHistory: 20150318163348Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$C5F1iK2 y$0jk2K8skjjoKhGsBN5JUdsM1 pwdChangedTime: 20150318163348Z entryCSN: 20150318163348.185046Z#000000#001#000000 modifiersName: uid=test1,ou=People,dc=test,dc=es modifyTimestamp: 20150318163348Z entryDN: uid=test1,ou=People,dc=test,dc=es subschemaSubentry: cn=Subschema hasSubordinates: FALSE
In this example, the pwdHistory entries with {CRYPT} passwords belong to the passwords changed by the user from the client (using the passwd command). And the entries with {SSHA} passwords belong to password changed from the LDAP server by the admin user.
Thanks for your help, Esther
2015-03-19 8:51 GMT+01:00 Clément OUDOT clem.oudot@gmail.com:
2015-03-18 18:21 GMT+01:00 Esther Garcia fulletverde@gmail.com:
Hello,
We have installed an openldap server 2.4.23-34 on RHEL 6.5 with ppolicy enabled.
# Standard, Policies dn: cn=Standard,ou=Policies,dc=test,dc=es cn: Standard description: Standard password policy. pwdAttribute: userPassword pwdCheckQuality: 1 pwdMinLength: 8 pwdLockout: TRUE pwdMustChange: TRUE pwdAllowUserChange: TRUE objectClass: device objectClass: pwdPolicy pwdSafeModify: FALSE pwdFailureCountInterval: 3 pwdGraceAuthNLimit: 0 pwdLockoutDuration: 1200 pwdMaxFailure: 10 pwdMinAge: 10 pwdMaxAge: 31536000 pwdExpireWarning: 0 pwdInHistory: 5
All ppolicy attributtes except pwdInHistory are working. We store
passwords
encrypted in the directory.
Is there any way to have pwdInHistory attribute working with encrypted passwords stored in the directory?
It won't work if the password modification is done with an encrypted password, or when it is done as rootdn. Are you in one of this case?
Moreover, your version is quite old and you are encouraged to upgrade.
Clément.