I'm a little confused about a couple of things with ppolicy, I would
appreciate somone helping me to sort it out.
Here's my problem. I have a pwdMinAge set to some number X. The reason
is that the password policy I'm implementing says that passwords must
not be reused until some N days and Y number of changes have elapsed.
Thus, pwdMinAge is approximately N / Y, which means that even if a user
changes their password every X days, they won't go through all Y
passwords until all N days have passed. Clearly not the best option.
So my first question is this: I see that the pwdHistory attribute
stores time the password was used within it. Is there some way for
ppolicy to check if a password that is being reused has been reused in <
Failing in that (which would allow me to get rid of using pwdMinAge)...
When I set a user password with the rootdn or similar, the user can not
reset their password because it is too young. I can see no way to
modify pwdChangedTime. How exactly is this handled?
Third, apparently only the rootdn can set a password when the password
is < pwdMinAge. Users with an ACL that allows write access to
userPassword also go through the ppolicy policies (which makes sense).
Is there a way to exclude them also from ppolicy constraints when
setting another user's password?
Lee Sheridan 301.286.5898 voice
NASA / Goddard Space Flight Center lsherida(a)nccs.nasa.gov
Computer Sciences Corporation Building 28, Room S230