#49253 [RFE] password history based on age, not count
Closed: wontfix 3 years ago by spichugi. Opened 6 years ago by pvoborni.

Opened based on FreeIPA #6929

It would be nice if FreeIPA would prevent password reuse based on age, instead of history length. Meaning the ability to configure FreeIPA to enforce that a password cannot be reused within the last 1 year, regardless of how many times the user's password has been changed.

Currently password history is stored based on a history length. And when an organization has password expiration requirements, to keep people from just changing their password X number of times so they can reuse their original, you must set the minimum password age to a high enough value to be an annoyance to such users. This is a rather crude solution to the problem, as the solution is essentially: "make it annoying enough so people don't do it".

I've previously implemented this feature when using OpenLDAP by writing a custom extension that when the password was changed, the previous one was stored with a timestamp of the change date. For enforcement, OpenLDAP would compare against passwords timestamped within the policy's history age, or history length. The solution worked rather well, and it would nice if such a feature could be implemented within FreeIPA.


Isn't FreeIPA password policy all managed inside of KRB in IPA? Pretty sure they don't use our account policy modules at all ....

Metadata Update from @firstyear:
- Custom field type adjusted to defect

6 years ago

Yes and no. There are two places where the same code is used: KDB driver for krb5kdc/kadmind and ipa-pwd-extop plugin in 389-ds. Eventually, we want the latter to become part of 389-ds and be configurable enough to handle FreeIPA-specific logic.

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.4 backlog

6 years ago

Metadata Update from @mreynolds:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field version adjusted to None
- Issue tagged with: RFE

6 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2312

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata