Would it be reasonable to request a feature for FreeIPA to enforce password history reuse based on age, instead of a count? Meaning configure FreeIPA to enforce that a password cannot be reused within the last 1 year? Then we could remove the minimum time between password changes, and not worry about people cycling through X passwords to be able to reuse one.
When we were using OpenLDAP for user account management, I wrote an extension for it to do just that and it was rather convenient (not having to deal with an annoying min-change-time). The whole min-time-between-changes, and number-of-passwords-in-history thing has always seemed like a hack to accomplish the true goal of preventing users from reusing passwords within a certain amount of time. -Patrick
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project