Sorry Patric,

Maybe the reference that I have is wrong, I’m using the book “Mastering OpenLDAP” by Matt Butcher that in chapter 6 at pag 323 says “if you store password in plain text in the directory then the policy overlay can be configured to maintain a password history”. Now I’m using as reference for ppolicy. My authentication error was a trivial problem on an objectClass: posixAccount. Now I’m testing with SHA stored passwords the pwdInHistory directive. Thanks for the suggestions,






From: [] On Behalf Of Patrick Hemmer
Sent: 20 June 2012 14:17
Subject: Re: PAM authentication and PPolicy issues


Sent: Wed Jun 20 2012 04:36:03 GMT-0400 (EDT)
From: Clément OUDOT <>
To: Francesco Belli <>
Subject: Re: PAM authentication and PPolicy issues

2012/6/20 Francesco Belli <>:
Hi Clement,
I already used pam_password directive, I set it to cleartext, but this parameter is used for password change and not for authentication. As man pam_ldap says "Specifies the password change protocol to use", so not the authentication method. Now my situation is that I have some users in the LDAP server that they have a SHA hash in the userPassword field, and they are correctly authenticated, others that have a clear text password and cannot be authenticated via PAM.
Password scheme used in LDAP directory do not prevent any application
to authenticate to LDAP. Dig into logs to see what is the real reason
of your problem.

In addition, it is not true that the password must be stored in cleartext for pwdCheckQuality and pwdInHistory to work. Storing passwords in cleartext is bad.