On Apr 14, 2022, at 20:49, Jonathan Billings <billings(a)negate.org> wrote:
Anyway, storing passwords is a terrible idea, even worse a history of old passwords. At
best you store hashes.
Now that I have said that, if you are using OpenLDAP as an authentication source (and not
just binding to it), there is a password policy overlay you can use that you can set the
number of passwords you save and password quality, and so forth. Described here:
https://www.openldap.org/doc/admin26/overlays.html#Password%20Policies
But using LDAP as a place to store your password hashes is only a little better than NIS
and I would recommend against it. If you want to use LDAP for storing user data, I have
no problem. But use Kerberos for authentication and LDAP for authorization. And use
FreeIPA instead of OpenLDAP.
—
Jonathan Billings