As i read the document, I could not establish the notion that admins are exempted. But I am inclined to agree that the (one and only) super user account could be immune to this.
Given that there is controversy, we can establish our own ruling. However, we need to keep in mind that this potentially constitutes a security vulnerability and we should ask ourselves if we want to go down that path. It might endanger adoption. Best regards, Pierre Smits *ORRTIZ.COM <http://www.orrtiz.com>* Services & Solutions for Cloud- Based Manufacturing, Professional Services and Retail & Trade http://www.orrtiz.com On Thu, Jul 23, 2015 at 6:58 PM, Emmanuel Lécharny <[email protected]> wrote: > Le 23/07/15 18:47, Theisen, Lucas a écrit : > > The password policy RFC ( > http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-8.2.6) > is not very explicit, but it seems to me that an admin user account should > be exempt from the pwdHistory check. > > Agreed. > > > Its not uncommon (though ill advised) for admins to supply simple > temporary passwords, and if history is long enough, they may have already > done so with the same password. This is causing failures for me. I can > get around it be manipulating the pwdHistory beforehand, but that seems > like it should be unnecessary. What do you think? Should we enable admin > to avoid this check? > > The super admin (uid=admin, ou=system) should be immune, IMHO. > >
