Hello all,
I'm working on Self-service application and want to prevent user from re-using old passwords. What is correct way to chage password takin in mind password history?
I guess it is:
1. Bind with special user and check if specified uid exists 2. Bind using user-supplied uid and password 3. Get password policy, history etc. and validate on selfservice-side 4. Execute LDAP modifyRequest with single item: userPassword and value of new hashed password.
In my case same password gives same hash. Are there any way to force encrypted password history validation on server side?
Thank you.
On Thu, Oct 29, 2015, at 11:18 AM, Bogdan Rudas wrote:
Hello all, I'm working on Self-service application and want to prevent user from re-using old passwords. What is correct way to chage password takin in mind password history?
I guess it is:
- Bind with special user and check if specified uid exists
- Bind using user-supplied uid and password
- Get password policy, history etc. and validate on selfservice-side
- Execute LDAP modifyRequest with single item: userPassword and value of
new hashed password.
In my case same password gives same hash. Are there any way to force encrypted password history validation on server side?
you could leave points 3 and 4 to a ppolicy overlay (server side) http://www.openldap.org/doc/admin24/overlays.html (12.10)
You should set, in your policy(es), the olcPPolicyHashCleartext attribute to true and send the new password as cleartext so the overlay can test it against your requisites and, if those checks are successful: - encrypt it - rotate the pwdHistory attributes (which stores the last $pwdInHistory password hashes)
take a look at the slapo-ppolicy manpage
Thank you.
Bogdan Rudas
hope this helps,
dario zanzico
Dario Zanzico wrote:
On Thu, Oct 29, 2015, at 11:18 AM, Bogdan Rudas wrote:
Hello all, I'm working on Self-service application and want to prevent user from re-using old passwords. What is correct way to chage password takin in mind password history?
I guess it is:
- Bind with special user and check if specified uid exists
- Bind using user-supplied uid and password
- Get password policy, history etc. and validate on selfservice-side
- Execute LDAP modifyRequest with single item: userPassword and value of
new hashed password.
In my case same password gives same hash. Are there any way to force encrypted password history validation on server side?
you could leave points 3 and 4 to a ppolicy overlay (server side) http://www.openldap.org/doc/admin24/overlays.html (12.10)
You should set, in your policy(es), the olcPPolicyHashCleartext attribute to true and send the new password as cleartext so the overlay can test it against your requisites and, if those checks are successful:
- encrypt it
- rotate the pwdHistory attributes (which stores the last $pwdInHistory
password hashes)
take a look at the slapo-ppolicy manpage
ppolicyHashCleartext is a kludge. The correct approach is to use the passwordModify operation.
Le 29/10/2015 11:18, Bogdan Rudas a écrit :
Hello all,
I'm working on Self-service application and want to prevent user from re-using old passwords. What is correct way to chage password takin in mind password history?
I guess it is:
- Bind with special user and check if specified uid exists
- Bind using user-supplied uid and password
- Get password policy, history etc. and validate on selfservice-side
- Execute LDAP modifyRequest with single item: userPassword and value
of new hashed password.
In my case same password gives same hash. Are there any way to force encrypted password history validation on server side?
Hi,
just for information, if you are looking for a self service application, you can check http://ltb-project.org/wiki/documentation/self-service-password/latest/start
But as it is written in PHP, it does not use the ppolicy control (not yet implemented in PHP-LDAP API).
openldap-technical@openldap.org
-
Bogdan Rudas -
Clément OUDOT -
Dario Zanzico -
Howard Chu