John Trump via FreeIPA-users wrote:
> I am using FreeIPA 4.4 and have implemented a password policy where
> password history is set to 24. If a password admin or the user "admin"
> resets a users password, the user is forced to change their password
> upon logging in. At this point, the user is able to reuse the previous
> password even though it should be in their password history. How do I
> make it so a password reset by an admin does not wipe out the users'
> password history?

I don't think the history is being wiped out. You can confirm by
searching as Directory Manager:

$ ldapsearch -x -D 'cn=directory manager' -W -b
uid=joe,cn=users,cn=accounts,dc=example,dc=com passwordhistory

It's been a very long time since I've looked at this code. I know there
is some special handling around resets and password history (e.g. it
gets skipped in this case). I don't know and somehow doubt it would be
skipped in the case of setting a new password in case of reset.

Do you know if other policy is being applied, like length, character
mix, etc?

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to