mbackes@symas.com wrote:

Full_Name: Matthew Backes Version: 2.3, 2.4, head, etc OS: all URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (67.115.65.234)

When receiving a new userPassword, slapo-ppolicy checks to see if that password matches the hash already present in userPassword, and disallows it if this is the case.

This is a sensible default for most circumstances, as otherwise the user could reset their age counters by using the same password.

Unfortunately, it also blocks arguably-legitimate password changes; e.g. when migration to SSHA from CRYPT where the first 8 chars of the new password match the old.

This patch changes this userPassword-has-changed check to only apply if there is a password policy defined which requires it; in particular, any of pwdInHistory, pwdMinAge, pwdMaxAge, pwdCheckQuality, or pwdMustChange must apply for this check to be enforced.

Rereading draft-behera, it says

5.2.4 pwdInHistory

This attribute specifies the maximum number of used passwords stored in the pwdHistory attribute.

If this attribute is not present, or if the value is 0, used passwords are not stored in the pwdHistory attribute and thus may be reused.

As such the test can be simplified. Committing to HEAD.