Anonymous_User Absent Member.
Absent Member.
145 views

How does password history work without having UP enabled?


Looking for information about how password history works if you don't
have Universal Password enabled (i.e. relying solely upon the "require
unique password" setting on the user accounts). Mainly what I'm trying
to figure out is whether an admin-style reset (i.e. resetting another
user's password) checks and/or enforces password history when it's set.
I've found rather little on the topic as password history hits all seem
to be related to Universal Password settings. We have an older
application that's saying that in one release of their software,
reseting with an appid will know whether a password has been used, but a
newer version that uses a different directory and appid can reset to an
old password as much as it wants (and from what I can tell, the
password-related settings are the same in both directories). In my
testing, the only thing I've found is that you can replace an existing
password on another object, but you can't delete/add an existing
password on another object (using LDIF), which is one difference that I
see based on looking at traces I've grabbed. We aren't using UP on
these accounts due to some conflicts of functionality that happens when
we turn it on and use a password policy. We're started rolling out 8.8
SP7 patch 3, but the results are the same on that version or on 8.8 SP6
patch2, which is what we were running. Servers are SLES11 SP2 (not
OES).


--
infinity9999
------------------------------------------------------------------------
infinity9999's Profile: https://forums.netiq.com/member.php?userid=1343
View this thread: https://forums.netiq.com/showthread.php?t=48444

Labels (1)
0 Likes
9 Replies
Anonymous_User Absent Member.
Absent Member.

Re: How does password history work without having UP enabled?


> whether an admin-style reset (i.e. resetting another user's password)
> checks and/or enforces password history when it's set.

Without testing myself, I'm pretty sure it does. The password history is
retained in eDir for as many changes as you've specified (usually 8).

> a newer version that uses a different directory

I'm not sure what you mean by 'directory' here. A different tree? AD vs
eDir?


--
ataubman
------------------------------------------------------------------------
ataubman's Profile: https://forums.netiq.com/member.php?userid=301
View this thread: https://forums.netiq.com/showthread.php?t=48444

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How does password history work without having UP enabled?


ataubman;232864 Wrote:
> I'm not sure what you mean by 'directory' here. A different tree? AD vs
> eDir?


Yes, it's a different tree.


--
infinity9999
------------------------------------------------------------------------
infinity9999's Profile: https://forums.netiq.com/member.php?userid=1343
View this thread: https://forums.netiq.com/showthread.php?t=48444

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How does password history work without having UP enabled?


With legacy (aka NDS) password, admin reset doesn't care about password
history, far as I can recall as it was a "bone of contention" with some
people for years in the past. And far as I can recall, NDS password
history is hardcoded at 10 entries, while bindery password history was
8.

And you cannot not "delete/add" a password via LDIF because that would
imply one (or something) can first read the password (so you can delete
the correct value). But since passwords aren't stored as clear text, the
LDAP engine has no way to look that up (in the case of UP, as that
actually is handled via NMAS), and NDS passwords are stored as RSA
hashes.


--
--
-eDirectory Rules!-

Peter
www.DreamLAN.com
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=48444

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How does password history work without having UP enabled?


peterkuo;232872 Wrote:
> With legacy (aka NDS) password, admin reset doesn't care about password
> history, far as I can recall as it was a "bone of contention" with some
> people for years in the past. And far as I can recall, NDS password
> history is hardcoded at 10 entries, while bindery password history was
> 8.
>
> And you cannot not "delete/add" a password via LDIF because that would
> imply one (or something) can first read the password (so you can delete
> the correct value). But since passwords aren't stored as clear text, the
> LDAP engine has no way to look that up (in the case of UP, as that
> actually is handled via NMAS), and NDS passwords are stored as RSA
> hashes.


Thanks. That's what I thought, but I haven't been able to find any
actual documentation that actually explains it.


--
infinity9999
------------------------------------------------------------------------
infinity9999's Profile: https://forums.netiq.com/member.php?userid=1343
View this thread: https://forums.netiq.com/showthread.php?t=48444

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How does password history work without having UP enabled?


Follow up question. Does password history functionality change when you
enable Universal Password but don't set any password history related
settings?


--
infinity9999
------------------------------------------------------------------------
infinity9999's Profile: https://forums.netiq.com/member.php?userid=1343
View this thread: https://forums.netiq.com/showthread.php?t=48444

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How does password history work without having UP enabled?

If you enable UP but do not enable history in the policy then Up does not
enforce history.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How does password history work without having UP enabled?


I've been doing some testing and it seems like password history is
enforced when UP is not enabled (i.e. old style NDS), but when you
enable UP and don't set any password history settings, it will recognize
a previously used password on a delete/add combo, but replace operations
go through without any complaint (and yes, I know that delete/add is
normally not used, but I'm testing all the cases to see when the history
actually gets evaluated). So it's like the history is still there, but
it only gets checked when try to change it from a known value.


--
infinity9999
------------------------------------------------------------------------
infinity9999's Profile: https://forums.netiq.com/member.php?userid=1343
View this thread: https://forums.netiq.com/showthread.php?t=48444

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How does password history work without having UP enabled?

Sorry, I misunderstood your question and only considered a new UP install
vs. a legacy history from NDS Passwords.

Something worth noting is that delete/add isn't necessarily evil or
forbidden via LDAP, and inf act I think it works even though Peter thinks
otherwise. The difference is that a delete/add when you provide both the
deleted (old password) value and the new (new password) value implies that
you are the user making the password change, and since you are the usre
(after all, who else would know the old password) you must follow comply
with history requirements If you do a replace, though, you do not specify
the old value and therefore you must be an admin (no history applies).
This is how it worked the last time I tested about a year ago.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How does password history work without having UP enabled?


Yeah, that's what I've been seeing, although oddly my testing with me
modifying a test account has shown that if I don't have UP turned on,
even doing a replace makes it fail with a duplicate password error, so
something is still out there and able to check it, even using a replace
operation. With UP enabled, replaces go through with old values.
Delete/add combos trying to set it back to an old password fail in both
cases. Just weird.


--
infinity9999
------------------------------------------------------------------------
infinity9999's Profile: https://forums.netiq.com/member.php?userid=1343
View this thread: https://forums.netiq.com/showthread.php?t=48444

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.