I'm not sure if this is truly a vulnerability, but I thought I'd put it out
there for discussion.
openldap 2.4.6
bdb backend
ppolicy overlay
I have set up so a default ppolicy such that 3 old passwords are stored in a
users pwdHistory attribute.
When I back up the bdb database via slapcat -l backup.ldif the userPassword
field looks to be Base64 hashed.
userPassword:: e1NTSEF9VWFTNDNVDRWEx1QzEyWjASGVWc0VZHRNTmt4M1c=
but the passwd history leaves the passwd hashes visible.
pwdHistory:
20071203220105Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}wAuvjfMkMyKKHcMV1Tg7qiG0x4
Obviously these backup LDIF files are keep as secure as possible, and these are
OLD passwds, but should the pwdHistory attribute also be hashed when being
slapcated?
Scott
