Password History check in openldap not working when I am using SHA-256 password hashing in openldap.
So I am sending clear text password from my java application to openLDAP and it is storing as SHA-256 hashed form on its own. whenever I am changing password, openLDAP is storing the previous password in pwdHistory. There is no problem in that but when I am changing password with the same password previously used it is taking up without throwing any error. I am struggling to make it work for few weeks. Please somebody help me.
My environment details: OpenLDAP 2.4.38 RHEL 6
Following details also mentioned in slapd.conf
include ../etc/openldap/schema/ppolicy.schema password-hash {SHA256} overlay ppolicy ppolicy_default "cn=default,ou=pwdpolicies,dc=my-domain,dc=com" ppolicy_hash_cleartext
my password policy: dn: cn=Default,ou=pwdpolicies,dc=my-domain,dc=com objectClass: pwdPolicy objectClass: person objectClass: top cn: Default sn: Default pwdAttribute: userPassword pwdMinAge: 0 pwdInHistory: 5 pwdFailureCountInterval: 0 pwdLockout: TRUE pwdLockoutDuration: 0 pwdAllowUserChange: TRUE pwdExpireWarning: 0 pwdGraceAuthNLimit: 0 pwdMustChange: FALSE pwdSafeModify: FALSE
Kindly let me know if I have to give me more information to nail down the issue. Please Please Please someone help me on this. I am badly need a solution on this.
Am Mon, 9 Jun 2014 18:51:50 +0530 schrieb scor z mr.scorpioz@gmail.com:
Password History check in openldap not working when I am using SHA-256 password hashing in openldap.
So I am sending clear text password from my java application to openLDAP and it is storing as SHA-256 hashed form on its own. whenever I am changing password, openLDAP is storing the previous password in pwdHistory. There is no problem in that but when I am changing password with the same password previously used it is taking up without throwing any error. I am struggling to make it work for few weeks. Please somebody help me.
My environment details: OpenLDAP 2.4.38 RHEL 6
Following details also mentioned in slapd.conf
include ../etc/openldap/schema/ppolicy.schema password-hash {SHA256} overlay ppolicy ppolicy_default "cn=default,ou=pwdpolicies,dc=my-domain,dc=com" ppolicy_hash_cleartext
my password policy: dn: cn=Default,ou=pwdpolicies,dc=my-domain,dc=com objectClass: pwdPolicy objectClass: person objectClass: top cn: Default sn: Default pwdAttribute: userPassword pwdMinAge: 0 pwdInHistory: 5 pwdFailureCountInterval: 0 pwdLockout: TRUE pwdLockoutDuration: 0 pwdAllowUserChange: TRUE pwdExpireWarning: 0 pwdGraceAuthNLimit: 0 pwdMustChange: FALSE pwdSafeModify: FALSE
Kindly let me know if I have to give me more information to nail down the issue. Please Please Please someone help me on this. I am badly need a solution on this.
slapd has no knowledge of the hashing scheme {SHA2} unless you have build and included an appropriate module, ie. contrib/slapd-modules/passwd/sha2/
-Dieter
Which user are you setting the password with? Remember that the "Admin" user is not subject to the policy.
On Jun 9, 2014, at 9:42 AM, "scor z" mr.scorpioz@gmail.com wrote:
Password History check in openldap not working when I am using SHA-256 password hashing in openldap.
So I am sending clear text password from my java application to openLDAP and it is storing as SHA-256 hashed form on its own. whenever I am changing password, openLDAP is storing the previous password in pwdHistory. There is no problem in that but when I am changing password with the same password previously used it is taking up without throwing any error. I am struggling to make it work for few weeks. Please somebody help me.
My environment details: OpenLDAP 2.4.38 RHEL 6
Following details also mentioned in slapd.conf
include ../etc/openldap/schema/ppolicy.schema password-hash {SHA256} overlay ppolicy ppolicy_default "cn=default,ou=pwdpolicies,dc=my-domain,dc=com" ppolicy_hash_cleartext
my password policy: dn: cn=Default,ou=pwdpolicies,dc=my-domain,dc=com objectClass: pwdPolicy objectClass: person objectClass: top cn: Default sn: Default pwdAttribute: userPassword pwdMinAge: 0 pwdInHistory: 5 pwdFailureCountInterval: 0 pwdLockout: TRUE pwdLockoutDuration: 0 pwdAllowUserChange: TRUE pwdExpireWarning: 0 pwdGraceAuthNLimit: 0 pwdMustChange: FALSE pwdSafeModify: FALSE
Kindly let me know if I have to give me more information to nail down the issue. Please Please Please someone help me on this. I am badly need a solution on this.
openldap-technical@openldap.org
-
Dieter Klünter -
Michael -
scor z