It would be nice if FreeIPA would prevent password reuse based on age, instead of history length. Meaning the ability to configure FreeIPA to enforce that a password cannot be reused within the last 1 year, regardless of how many times the user's password has been changed.
Currently password history is stored based on a history length. And when an organization has password expiration requirements, to keep people from just changing their password X number of times so they can reuse their original, you must set the minimum password age to a high enough value to be an annoyance to such users. This is a rather crude solution to the problem, as the solution is essentially: "make it annoying enough so people don't do it".
I've previously implemented this feature when using OpenLDAP by writing a custom extension that when the password was changed, the previous one was stored with a timestamp of the change date. For enforcement, OpenLDAP would compare against passwords timestamped within the policy's history age, or history length. The solution worked rather well, and it would nice if such a feature could be implemented within FreeIPA.
This should be implemented in 389ds so I open RFE there: #49253
Metadata Update from @pvoborni: - Custom field external_tracker adjusted to https://pagure.io/389-ds-base/issue/49253 - Issue set to the milestone: Future Releases - Issue tagged with: tracker
Ah, ok. When I tossed the idea out to the mailing list, the response sounded like it would be implemented in FreeIPA, and there was going to be a future effort to expand 389ds's password management capabilities.
https://www.redhat.com/archives/freeipa-users/2017-May/msg00043.html
We want this eventually be done by 389-ds but will use this ticket as a tracking one for FreeIPA. Where that code will end up project wise is less important.
Login to comment on this ticket.