directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre Smits <pierre.sm...@gmail.com>
Subject Re: pwdHistory and admin
Date Thu, 23 Jul 2015 17:07:15 GMT
As i read the document, I could not establish the notion that admins are
exempted. But I am inclined to agree that the (one and only) super user
account could be immune to this.

Given that there is controversy, we can establish our own ruling. However,
we need to keep in mind that this potentially constitutes a security
vulnerability and we should ask ourselves if we want to go down that path.
It might endanger adoption.

Best regards,

Pierre Smits

*ORRTIZ.COM <http://www.orrtiz.com>*
Services & Solutions for Cloud-
Based Manufacturing, Professional
Services and Retail & Trade
http://www.orrtiz.com

On Thu, Jul 23, 2015 at 6:58 PM, Emmanuel Lécharny <elecharny@gmail.com>
wrote:

> Le 23/07/15 18:47, Theisen, Lucas a écrit :
> > The password policy  RFC (
> http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-8.2.6)
> is not very explicit, but it seems to me that an admin user account should
> be exempt from the pwdHistory check.
>
> Agreed.
>
> >  Its not uncommon (though ill advised) for admins to supply simple
> temporary passwords, and if history is long enough, they may have already
> done so with the same password.  This is causing failures for me.  I can
> get around it be manipulating the pwdHistory beforehand, but that seems
> like it should be unnecessary.  What do you think?  Should we enable admin
> to avoid this check?
>
> The super admin (uid=admin, ou=system) should be immune, IMHO.
>
>

Mime
View raw message