I'm using OpenLDAP 2.4.38.

At some distant point when I was testing the configuration of our OpenLDAP server, I must have set pwdInHistory to 5 as I have 5 previous passwords stored in my account object.

Before going live, though, I changed my mind and set pwdInHistory to 0. However, my account still retains those five previous passwords.

I've tried applying a specific pwdPolicy to my object and setting pwdInHistory to 1 then changing my password but the object still retains 5 previous passwords :-(.

Given that pwdHistory is read-only and therefore I cannot delete those entries, does anyone have any suggestions on how I can persuade OpenLDAP to forget those old passwords?

I don't think changing the password multiple times is going to fix the problem either. Despite setting pwdInHistory to 1, changing the password multiple times doesn't seem to be working in the way I would expect. The five pwdHistory entries that are being shown by Apache Directory Studio all show a date from the beginning of 2013. I would expect ONE of those entries to be replaced with an entry with today's date and, even better, I would expect OpenLDAP to be removing entries if there are more than pwdInHistory's value.

Regards

Philip