I'm running OpenLDAP 2.5.24 on 2 servers. I'm trying to enforce some security rules on client machines through the ppolicy overlay. All the lockout stuff works fine. I understand that pwdMinLength will not work by design because the password is hashed. I can't get pwdInHistory to work. If I set it to 5 I clearly see 5 pwdHistory entries, all hashed {crypt}, but I can go back and forth between two passwords without it rejecting them for being reused. My current theory is that it's not looking at the actual password to prevent reuse, but the hashed password, which is not going to be the same. Should it be working? Follow up question, shouldn't the password be stored {SSHA} and not {CRYPT} by default? Just to be clear, the password is being set on the client machine using passwd, not on the servers running OpenLDAP.
Matt