Hi,
On Tue, 12 Jan 2016 17:46:23 +0900, Michael Ströder wrote:
- reduce pwdInHistory
If set pwdInHistory to 5 then reduce pwdInHistory to 3,
I try to rephrase: If attribute 'pwdHistory' in the user entry has 5 values and attribute 'pwdInHistory' in the policy entry is 3 then ignore (and remove?) the 2 oldest 'pwdHistory' values.
Exactly! Thanks for your rephrase.
Are values in 'pwdInHistory' sorted by timestamp in this part of the code?
Ya, parsed pwdInHistory(pw_hist *tl) are sorted by ascending time order. So, In this case, we need ignore first 2 attributes then check 3 attributes.
We expect to check password with three history, but ppolicy check password with all pwdHistory attribute.
- reduce pwdInHistory to zero
If set pwdInHistory to 5 then reduce pwdInHistory to 0,
I try to rephrase: If attribute 'pwdHistory' in the user entry is set and attribute 'pwdInHistory' in the policy entry is 0 then ignore (and remove?) 'pwdHistory' completely.
We expect that ppolicy password checking will be disbale. but the pwdHistory attribute are remains, so password checking is still enabled. We need to remove pwdHistory attribute.
I'm not sure whether removing 'pwdHistory' attribute (values) is the right thing to do. If you want to increase 'pwdInHistory' later then the old values are lost.
Currently, pwdHistory attributes will truncate when to reduce 'pwdInHistory'. But this process is simply skipping when pwdInHistory: 0. this behavior is unnatural. I know how you feel. I'm sure root of issue is that 'pwdInHistory' attribute have both role "number of record pwdHistory" and "number of check pwdHistory". Thay are desirable to split same as 'pwdMaxFailure' and 'pwdMaxRecordedFailure'.
Thank you.
Ciao, Michael.