Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
From: Lothar Haeger <lothar.haeger@brummelhook.com>
Content-Type: multipart/alternative;
 boundary="Apple-Mail=_DDF397C4-6521-46C4-B1EB-AB75533434E3"
Message-Id: <669E2579-E01D-4B0B-9013-6108871EFEE1@brummelhook.com>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
Subject: Re: pwdHistory and admin
Date: Thu, 23 Jul 2015 19:06:56 +0200
References: 
 <BN1PR09MB019623C85DA310A9AC617463CD820@BN1PR09MB0196.namprd09.prod.outlook.com>
To: Apache Directory Developers List <dev@directory.apache.org>
In-Reply-To: 
 <BN1PR09MB019623C85DA310A9AC617463CD820@BN1PR09MB0196.namprd09.prod.outlook.com>


--Apple-Mail=_DDF397C4-6521-46C4-B1EB-AB75533434E3
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Sounds advisable to me, this is how Edirectory handles admin password =
resets, btw.. Not just to prevent reuse of simple temp passwords, but =
also to prevent=20

a) telling admins real previous passwords that could still be in use =
elsewhere or
b) giving hints on a user's password scheme which may enable the admin =
to guess current/future passwords.

For that reason only a user himself must be able to see the "already in =
history" type of error on a password change. Admins should be able to =
set any password for other accounts, as long as it adhere's to the =
password complexity policy.

Cheers, Lothar

> Am 23.07.2015 um 18:47 schrieb Theisen, Lucas <ltheisen@mitre.org>:
>=20
> The password policy  RFC =
(http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-8=
.2.6 =
<http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-8=
.2.6>) is not very explicit, but it seems to me that an admin user =
account should be exempt from the pwdHistory check.  Its not uncommon =
(though ill advised) for admins to supply simple temporary passwords, =
and if history is long enough, they may have already done so with the =
same password.  This is causing failures for me.  I can get around it be =
manipulating the pwdHistory beforehand, but that seems like it should be =
unnecessary.  What do you think?  Should we enable admin to avoid this =
check?


--Apple-Mail=_DDF397C4-6521-46C4-B1EB-AB75533434E3
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">Sounds advisable to me, this is how Edirectory handles admin =
password resets, btw.. Not just to prevent reuse of simple temp =
passwords, but also to prevent&nbsp;<div class=3D""><br =
class=3D""></div><div class=3D"">a) telling admins real previous =
passwords that could still be in use elsewhere or</div><div class=3D"">b) =
giving hints on a user's password scheme which may enable the admin to =
guess current/future passwords.</div><div class=3D""><div class=3D""><div =
class=3D""><br class=3D""></div><div class=3D"">For that reason only a =
user himself must be able to see the "already in history" type of error =
on a password change. Admins should be able to set any password for =
other accounts, as long as it adhere's to the password complexity =
policy.</div><div class=3D""><br class=3D""></div><div class=3D"">Cheers, =
Lothar</div><div class=3D""><br class=3D""><div><blockquote type=3D"cite" =
class=3D""><div class=3D"">Am 23.07.2015 um 18:47 schrieb Theisen, Lucas =
&lt;<a href=3D"mailto:ltheisen@mitre.org" =
class=3D"">ltheisen@mitre.org</a>&gt;:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><span =
style=3D"font-family: Calibri, sans-serif; font-size: 15px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; orphans: auto; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; widows: =
auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; =
display: inline !important;" class=3D"">The password policy&nbsp; RFC =
(</span><a =
href=3D"http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#se=
ction-8.2.6" style=3D"color: rgb(149, 79, 114); text-decoration: =
underline; font-family: Calibri, sans-serif; font-size: 15px; =
font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: auto; text-align: =
start; text-indent: 0px; text-transform: none; white-space: normal; =
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" =
class=3D"">http://tools.ietf.org/html/draft-behera-ldap-password-policy-10=
#section-8.2.6</a><span style=3D"font-family: Calibri, sans-serif; =
font-size: 15px; font-style: normal; font-variant: normal; font-weight: =
normal; letter-spacing: normal; line-height: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
float: none; display: inline !important;" class=3D"">) is not very =
explicit, but it seems to me that an admin user account should be exempt =
from the pwdHistory check.&nbsp; Its not uncommon (though ill advised) =
for admins to supply simple temporary passwords, and if history is long =
enough, they may have already done so with the same password.&nbsp; This =
is causing failures for me.&nbsp; I can get around it be manipulating =
the pwdHistory beforehand, but that seems like it should be =
unnecessary.&nbsp; What do you think?&nbsp; Should we enable admin to =
avoid this check?</span></div></blockquote></div><br =
class=3D""></div></div></div></body></html>=

--Apple-Mail=_DDF397C4-6521-46C4-B1EB-AB75533434E3--