You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2017/05/29 00:55:04 UTC

[jira] [Resolved] (DIRAPI-296) Password reset does not respect password history policy

     [ https://issues.apache.org/jira/browse/DIRAPI-296?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emmanuel Lecharny resolved DIRAPI-296.
--------------------------------------
    Resolution: Invalid

It's clearly not an API issue : the API does not enforce the password policy, the server does. We don't know which server is used, so if it's not teh Apache Directory Server, it's not our issue, and otherwise, an issue should be opened on Apache Directory Server.

> Password reset does not respect password history policy
> -------------------------------------------------------
>
>                 Key: DIRAPI-296
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-296
>             Project: Directory Client API
>          Issue Type: Bug
>            Reporter: Srinivasan A
>              Labels: security
>
> I'm using ldap connection template to allow the user to reset/change the password. My password policy allows has a password history attribute value of 5. So user will not be able to use previous 5 passwords.
> When I'm using the modifyPassword method for changing the password(i.e. as a user by passing current and new password), it respects the password history policy. i.e I'm not allowed to use any of the previous 5 passwords. But when using the reset option(i.e. - only new password), it does not honor the password policy. It takes any value(including current one).
> How to make the reset password scenario honor the password history policy?



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)