directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lothar Haeger <lothar.hae...@brummelhook.com>
Subject Re: pwdHistory and admin
Date Thu, 23 Jul 2015 17:06:56 GMT
Sounds advisable to me, this is how Edirectory handles admin password resets, btw.. Not just
to prevent reuse of simple temp passwords, but also to prevent 

a) telling admins real previous passwords that could still be in use elsewhere or
b) giving hints on a user's password scheme which may enable the admin to guess current/future
passwords.

For that reason only a user himself must be able to see the "already in history" type of error
on a password change. Admins should be able to set any password for other accounts, as long
as it adhere's to the password complexity policy.

Cheers, Lothar

> Am 23.07.2015 um 18:47 schrieb Theisen, Lucas <ltheisen@mitre.org>:
> 
> The password policy  RFC (http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-8.2.6
<http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-8.2.6>) is
not very explicit, but it seems to me that an admin user account should be exempt from the
pwdHistory check.  Its not uncommon (though ill advised) for admins to supply simple temporary
passwords, and if history is long enough, they may have already done so with the same password.
 This is causing failures for me.  I can get around it be manipulating the pwdHistory beforehand,
but that seems like it should be unnecessary.  What do you think?  Should we enable admin
to avoid this check?


Mime
View raw message