On ke, 03 touko 2017, Patrick Hemmer wrote:
Would it be reasonable to request a feature for FreeIPA to enforce
password history reuse based on age, instead of a count? Meaning
configure FreeIPA to enforce that a password cannot be reused within the
last 1 year? Then we could remove the minimum time between password
changes, and not worry about people cycling through X passwords to be
able to reuse one.
When we were using OpenLDAP for user account management, I wrote an
extension for it to do just that and it was rather convenient (not
having to deal with an annoying min-change-time). The whole
min-time-between-changes, and number-of-passwords-in-history thing has
always seemed like a hack to accomplish the true goal of preventing
users from reusing passwords within a certain amount of time.
Please file a ticket for FreeIPA. We want to eventually move all this
code to 389-ds itself so that its password history check plugin could
support all IPA-related features as well but it is not there yet.
I think password age based checks are a reasonable request.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project