Le 23/07/15 18:47, Theisen, Lucas a écrit : > The password policy RFC > (http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-8.2.6) > is not very explicit, but it seems to me that an admin user account should > be exempt from the pwdHistory check.
Agreed. > Its not uncommon (though ill advised) for admins to supply simple temporary > passwords, and if history is long enough, they may have already done so with > the same password. This is causing failures for me. I can get around it be > manipulating the pwdHistory beforehand, but that seems like it should be > unnecessary. What do you think? Should we enable admin to avoid this check? The super admin (uid=admin, ou=system) should be immune, IMHO.