On Apr 11, 2022, at 14:16, Kaushal Shriyan <kaushalshriyan@gmail.com> wrote:
Is there a way to retrieve the OpenLDAP password history list using openldap utilities?
For example to get the history of passwords which a user has used and the timestamp associated with it when the password has been resetted.
OpenLDAP has a variety of mechanisms for performing authentication, listed here:
None of the built in mechanisms have any metadata about last changed or any history, it would be up to you to archive them as you changed them.
When using SASL, you could possibly be using it against a backend that has that data, but it wouldn’t be accessible via the OpenLDAP server.
Anyway, storing passwords is a terrible idea, even worse a history of old passwords. At best you store hashes.
Your question reminds me of this classic post about a clueless auditor:
I wonder if you have an equally clueless auditor asking the same questions?