[Freeipa-users] Password history based on age, not count?

[Alexander Bokovoy]

On ke, 03 touko 2017, Patrick Hemmer wrote:
>Would it be reasonable to request a feature for FreeIPA to enforce
>password history reuse based on age, instead of a count? Meaning
>configure FreeIPA to enforce that a password cannot be reused within the
>last 1 year? Then we could remove the minimum time between password
>changes, and not worry about people cycling through X passwords to be
>able to reuse one.
>
>When we were using OpenLDAP for user account management, I wrote an
>extension for it to do just that and it was rather convenient (not
>having to deal with an annoying min-change-time). The whole
>min-time-between-changes, and number-of-passwords-in-history thing has
>always seemed like a hack to accomplish the true goal of preventing
>users from reusing passwords within a certain amount of time.
Please file a ticket for FreeIPA. We want to eventually move all this
code to 389-ds itself so that its password history check plugin could
support all IPA-related features as well but it is not there yet.

I think password age based checks are a reasonable request.

-- 
/ Alexander Bokovoy