On Fri, Jul 28, 2017 at 9:27 PM, Rob Crittenden via FreeIPA-users <email@example.com> wrote: > John Trump via FreeIPA-users wrote: >> I am using FreeIPA 4.4 and have implemented a password policy where >> password history is set to 24. If a password admin or the user "admin" >> resets a users password, the user is forced to change their password >> upon logging in. At this point, the user is able to reuse the previous >> password even though it should be in their password history. How do I >> make it so a password reset by an admin does not wipe out the users' >> password history?
Sounds like bug https://pagure.io/freeipa/issue/6402 which was fixed in last upstream major release - FreeIPA 4.5 > > I don't think the history is being wiped out. You can confirm by > searching as Directory Manager: > > $ ldapsearch -x -D 'cn=directory manager' -W -b > uid=joe,cn=users,cn=accounts,dc=example,dc=com passwordhistory > > It's been a very long time since I've looked at this code. I know there > is some special handling around resets and password history (e.g. it > gets skipped in this case). I don't know and somehow doubt it would be > skipped in the case of setting a new password in case of reset. > > Do you know if other policy is being applied, like length, character > mix, etc? > > rob -- Petr Vobornik _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org