Hi, I see that the "-history" option for "add_policy" (in kadmin) is not supported when using the LDAP backend for Kerberos [1].
Is there *any* other way to ensure a user doesn't use one of his previous four keys when changing passwords and the Kerberos database is in LDAP? I ask because this is apparently a requirement in the PCI DSS and Card Production standard (section 7.2.2 in the latter), which will become relevant for us in a few months for a new site we are building. We normally use the LDAP backend for Kerberos at our existing sites which works great and allows us, among other things, to leverage OpenLDAP's mirror-mode replication for high availability instead of having to run kprop/kpropd via Cron. I'd like to use LDAP as a Kerberos database at the new site but this requirement and the missing history support seem like a show stopper. Any ideas or advice? Thanks, Andreas [1] http://web.mit.edu/kerberos/krb5-devel/doc/admin/database.html#add-policy
signature.asc
Description: OpenPGP digital signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
