The password policy RFC (http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-8.2.6) is not very explicit, but it seems to me that an admin user account should be exempt from the pwdHistory check. Its not uncommon (though ill advised) for admins to supply simple temporary passwords, and if history is long enough, they may have already done so with the same password. This is causing failures for me. I can get around it be manipulating the pwdHistory beforehand, but that seems like it should be unnecessary. What do you think? Should we enable admin to avoid this check?
Thank You, Lucas Theisen lthei...@mitre.org
