>>If password is expired, user will not be able to change it (as old password >>will be rejected). He can reset it by mail or SMS. >>Nice ! We send the mail for the user to enter the new password. I don't >>remember if the old password is proposed in this case ? This is why password >>history is needed, as some "interesting people" enter the same >>password >>again and again... or maybe this is bad and we are doing it wrong ?
>>For the moment password history can be configured in LDAP directory, so if >>the user tries do use the same password, SSP will get an error and the >>password will not be updated. The only problem we have is >>that the user >>does not know that the password is refused because of password history, he >>only gets a generic error message. A bit confused, I thought this was not possible without pull101 mentioned below ? Or is this pull101 ? You can also look at this PR: https://github.com/ltb-project/self-service-password/pull/134. If LDAP extended error allows you to know when the password history is involved, then you will be able to display a correct error to the user. Will do >>Yes, there is also a PR on this subject: >>https://github.com/ltb-project/self-service-password/pull/101. It still need >>some work. >>You can test the proposed code and tell us if it solves your issue. But the >>problem with this PR is that you need to allow SSP to read the password >>history, which can be a security risk. We are still not sure to accept this >>PR in SSP. >>Feel free to comment the PR with your remarks. Sure -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 137 boulevard de Magenta - 75010 PARIS Blog: http://sflx.ca/coudot
_______________________________________________ ltb-users mailing list [email protected] https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users
