Opened based on FreeIPA #6929
It would be nice if FreeIPA would prevent password reuse based on age, instead of history length. Meaning the ability to configure FreeIPA to enforce that a password cannot be reused within the last 1 year, regardless of how many times the user's password has been changed.
Currently password history is stored based on a history length. And when an organization has password expiration requirements, to keep people from just changing their password X number of times so they can reuse their original, you must set the minimum password age to a high enough value to be an annoyance to such users. This is a rather crude solution to the problem, as the solution is essentially: "make it annoying enough so people don't do it".
I've previously implemented this feature when using OpenLDAP by writing a custom extension that when the password was changed, the previous one was stored with a timestamp of the change date. For enforcement, OpenLDAP would compare against passwords timestamped within the policy's history age, or history length. The solution worked rather well, and it would nice if such a feature could be implemented within FreeIPA.
Isn't FreeIPA password policy all managed inside of KRB in IPA? Pretty sure they don't use our account policy modules at all ....
Metadata Update from @firstyear: - Custom field type adjusted to defect
Yes and no. There are two places where the same code is used: KDB driver for krb5kdc/kadmind and ipa-pwd-extop plugin in 389-ds. Eventually, we want the latter to become part of 389-ds and be configurable enough to handle FreeIPA-specific logic.
Metadata Update from @mreynolds: - Issue set to the milestone: 1.4 backlog
Metadata Update from @mreynolds: - Custom field component adjusted to None - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None - Custom field version adjusted to None - Issue tagged with: RFE
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2312
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.