[Freeipa-users] password history
Alexander Bokovoy
abokovoy at redhat.com
Thu Apr 13 11:00:06 UTC 2017
On to, 13 huhti 2017, Richard Neuboeck wrote:
>Hi there,
>
>I'm hoping someone can help me find the password history entries for
>a particular user.
>
>The policy is set up to store 10 passwords. Changing the password
>confirmS that the history works properly.
>
>From what I've found online I was lead to believe that the history
>entries are stored in krbPwdHistory and that I should be able to
>access those entries as 'Directory Manager' without restrictions.
>
>https://www.redhat.com/archives/freeipa-users/2013-July/msg00166.html
>
>However this attribute doesn't show up. Searching the database I
>found the appropriate entry in the policy (krbPwdHistoryLength) for
>how many passwords are stored but not the password history attribute
>itself.
>
>I've been searching the database for a specific user like this:
>ldapsearch -x -D 'cn=Directory Manager' -W -b
>'uid=frink,cn=users,cn=accounts,dc=example,dc=com'
>
>and also searched the whole domain (default base):
>ldapsearch -x -D 'cn=Directory Manager' -W
>
>I've also compared the output of the whole domain prior and post to
>changing a users password. The attributes that changed did not
>include an obvious history element (unless there is some kind of
>magic involved).
>
>Some more details about the setup:
>ipa-server-4.4.0-14.el7.centos.6.x86_64, obviously running on CentOS 7.
>
>I would highly appreciate any pointers as to where I could find the
>history of password hashes!
Password history is stored in passwordHistory attribute. This attribute
is not returned by default, one have to specify it explicitly.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list