On Fri, Jul 28, 2017 at 9:27 PM, Rob Crittenden via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
> John Trump via FreeIPA-users wrote:
>> I am using FreeIPA 4.4 and have implemented a password policy where
>> password history is set to 24. If a password admin or the user "admin"
>> resets a users password, the user is forced to change their password
>> upon logging in. At this point, the user is able to reuse the previous
>> password even though it should be in their password history. How do I
>> make it so a password reset by an admin does not wipe out the users'
>> password history?

Sounds like bug https://pagure.io/freeipa/issue/6402 which was fixed
in last upstream major release - FreeIPA 4.5

> I don't think the history is being wiped out. You can confirm by
> searching as Directory Manager:
> $ ldapsearch -x -D 'cn=directory manager' -W -b
> uid=joe,cn=users,cn=accounts,dc=example,dc=com passwordhistory
> It's been a very long time since I've looked at this code. I know there
> is some special handling around resets and password history (e.g. it
> gets skipped in this case). I don't know and somehow doubt it would be
> skipped in the case of setting a new password in case of reset.
> Do you know if other policy is being applied, like length, character
> mix, etc?
> rob

Petr Vobornik
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to