On 11/04/2014 12:54 PM, Andreas Ntaflos wrote: > Hi, > > I see that the "-history" option for "add_policy" (in kadmin) is not > supported when using the LDAP backend for Kerberos [1].
We expect to have this implemented this for 1.14 (see https://github.com/krb5/krb5/pull/132 ) but for now that is true. > Is there *any* other way to ensure a user doesn't use one of his > previous four keys when changing passwords and the Kerberos database is > in LDAP? You could write a password quality plugin module (see http://web.mit.edu/kerberos/krb5-latest/doc/plugindev/index.html ) and maintain your own database of password hashes. You might use http://www.eyrie.org/~eagle/software/krb5-strength/ as a starting point; it contains password history functionality, but doesn't provide it for use with MIT krb5. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
