I have a centralized OpenLdap instance with one master and several slaves.
I also have a large number of hosts that use Ldap for user authentication. All systems look to one of the slaves for all authentication, but when the user needs to change his password the slaves send a referral to the client redirecting them to the master.
This all works well, but now I must keep password history.
I have found references for modifying the /etc/pam.d/system-auth file to make the system remember some number of past passwords by adding remember=X to the pam_unix line, but it states the history will be kept in the /etc/security/opasswd file.
This sounds like the history will be kept on the system where the password was changed. If that is the case, then the next time that user changes his password and happens to be on a different system, his history will not be correct.
Is it possible to have them history maintained on the Ldap master server, where the password changes is really happening? Does the pam_ldap module support password history? If so, where in the Ldap database will this information be saved? Do I need to modify my schemas?
Kevin
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
