On Apr 14, 2022, at 20:49, Jonathan Billings <billings@negate.org> wrote:
Anyway, storing passwords is a terrible idea, even worse a history of old passwords. At best you store hashes.
Now that I have said that, if you are using OpenLDAP as an authentication source (and not just binding to it), there is a password policy overlay you can use that you can set the number of passwords you save and password quality, and so forth. Described here:
But using LDAP as a place to store your password hashes is only a little better than NIS and I would recommend against it. If you want to use LDAP for storing user data, I have no problem. But use Kerberos for authentication and LDAP for authorization. And use FreeIPA instead of OpenLDAP.