The password policy RFC
(http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-8.2.6)
is not very explicit, but it seems to me that an admin user account should be
exempt from the pwdHistory check. Its not uncommon (though ill advised) for
admins to supply simple temporary
Le 23/07/15 19:07, Pierre Smits a écrit :
As i read the document, I could not establish the notion that admins are
exempted. But I am inclined to agree that the (one and only) super user
account could be immune to this.
Given that there is controversy, we can establish our own ruling.
Thanks, Emmanuel. I would say that such also constitutes an adoption risk.
Reinstalling a in-production setup is not an option!? I wonder how our
major competitors are handling/selling this.
Best regards,
Pierre Smits
*ORRTIZ.COM http://www.orrtiz.com*
Services Solutions for Cloud-
Based
Le 23/07/15 18:47, Theisen, Lucas a écrit :
The password policy RFC
(http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-8.2.6)
is not very explicit, but it seems to me that an admin user account should
be exempt from the pwdHistory check.
Agreed.
Its not uncommon
As i read the document, I could not establish the notion that admins are
exempted. But I am inclined to agree that the (one and only) super user
account could be immune to this.
Given that there is controversy, we can establish our own ruling. However,
we need to keep in mind that this
Sounds advisable to me, this is how Edirectory handles admin password resets,
btw.. Not just to prevent reuse of simple temp passwords, but also to prevent
a) telling admins real previous passwords that could still be in use elsewhere
or
b) giving hints on a user's password scheme which may
