October 30th, 2012, 10:49 AM
Time-based Password History
Hello DevShed Forums,
Hopefully these question is approperate here, it's about LDAP Password Policies (but not direct coding of LDAP).
Is it possible to enforce a password history policy which is strictly based on time, rather then the number of passwords (using an "out of the box" solution)?
For example, typical setup's I've seen have the "last X" passwords in the history, so you can't reuse any one of those passwords. But, assuming pwdMinAge isn't set, you can just run through X passwords in a few minutes and set your old password back, which rather defeats the mechanism.
Instead, is it possible to restrict passwords to be purely time based so that you literally can't reuse a password that's been used for the last, say 60 days? I've noticed that the pwdHistory attribute does contain timestamps, so it seems to me this should be feasible. Of course, I understand that pwdHistory may need to grow indefinately depending on how often someone needs to change their password but, that issue aside, is this something configurable in a password policy? Or even purging passwords in pwdHistory after they've reached a certain age?
One idea is to set the number of allowed passwords (in history) to 60, and specify pwdMinAge to be 86400 (1 day). This would effectively accomplish the same thing, but go overboard in that any of the last 60 passwords wouldn't be usable, regardless of if they were two months, two years, or ten years old. This isn't desirable, and so again, would need some sort of purge option that I can't seem to figure out if it exists.
Even rolling your own script for this doesn't seem feasible since pwdHistory is an operation attribute and not externally modifable. I'm a relative LDAP-newbie here so any ideas you might have would be appreciated.