[37165] in Kerberos
Re: Key history with LDAP backend?
daemon@ATHENA.MIT.EDU (Abdelkader Chelouah)
Mon Jul 20 15:32:55 2015
Message-ID: <55AD4CCE.3040809@gmail.com>
Date: Mon, 20 Jul 2015 21:32:30 +0200
From: Abdelkader Chelouah <a.chelouah@gmail.com>
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>, Andreas Ntaflos <daff@pseudoterminal.org>,
kerberos@mit.edu
In-Reply-To: <54591553.1030001@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 04/11/2014 19:05, Greg Hudson wrote:
> On 11/04/2014 12:54 PM, Andreas Ntaflos wrote:
>> Hi,
>>
>> I see that the "-history" option for "add_policy" (in kadmin) is not
>> supported when using the LDAP backend for Kerberos [1].
> We expect to have this implemented this for 1.14 (see
> https://github.com/krb5/krb5/pull/132 ) but for now that is true.
>
>> Is there *any* other way to ensure a user doesn't use one of his
>> previous four keys when changing passwords and the Kerberos database is
>> in LDAP?
> You could write a password quality plugin module (see
> http://web.mit.edu/kerberos/krb5-latest/doc/plugindev/index.html ) and
> maintain your own database of password hashes. You might use
> http://www.eyrie.org/~eagle/software/krb5-strength/
> as a starting point; it contains password history functionality, but
> doesn't provide it for use with MIT krb5.
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
Hello Greg,
Can you confirm that LDAP Backend password history will be implemented
for 1.14 ? I see no mention of this implementation in
http://k5wiki.kerberos.org/wiki/Release_1.14
Thanks
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
