pwm and active directory user password history
569 views
Skip to first unread message
Gad
May 21, 2013, 12:14:47 PM5/21/13
to pwm-g...@googlegroups.com
hi,
I am looking into enforcing user password history, so that the end user wont be able to re-use his previous n number of passwords.
can I configure this in pwm itself or do I need to do this in AD password policy?
when I did this using AD policy, pwm was an aware of it and accepted a previous password entered by the user and let the user submit his password, however, active directory rejected the password and pwm notified the user with some general error stating the password entered does not comply with the password policy.
any advice will be appreciated.
Thank you,
Gad
I am looking into enforcing user password history, so that the end user wont be able to re-use his previous n number of passwords.
can I configure this in pwm itself or do I need to do this in AD password policy?
when I did this using AD policy, pwm was an aware of it and accepted a previous password entered by the user and let the user submit his password, however, active directory rejected the password and pwm notified the user with some general error stating the password entered does not comply with the password policy.
any advice will be appreciated.
Thank you,
Gad
Gad
May 22, 2013, 2:25:22 PM5/22/13
to pwm-g...@googlegroups.com
Hi,
any help will be appreciated.
thanks
Gad
Jason Rivard
May 22, 2013, 2:29:20 PM5/22/13
to pwm-general
PWM doesn't handle history enforcement itself (unless you use the shared history feature). It will honor the AD settings except when: Password is changed by helpdesk, user logs in with "force password change on next bind" and via forgotten password sequence. This is just the way AD works, there isnt much we can do to change this behavior in PWM.
--To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/96c9d560-948c-4de3-8ad8-dd1184cf3149%40googlegroups.com?hl=en-US.
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.
Gad Shaked
Jun 5, 2013, 9:36:56 AM6/5/13
to pwm-g...@googlegroups.com
hi,
will it be possible for you to add a pre-check while the user types his password by simulating the process against AD before returning the confirmation of the new password requirement?To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CAPAicS-PfKHSa470aQ5j18pMXB%3D3YThRfVkNYRZ6jzG-%2Bg4yqA%40mail.gmail.com?hl=en-US.
Jason Rivard
Jun 5, 2013, 10:45:12 AM6/5/13
to pwm-general
Sure, we do this for eDirectory for example. Unfortunately AD has no such pre-check API that I am aware of. If there is such an API, please reference it here for us and we will surely add.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CAEHeYDv5GANj8_RbPcotL0%2BW0xO%2BzFr7K6vZ7ofqJXB-gOH%3DYg%40mail.gmail.com?hl=en-US.
Gad Shaked
Jun 5, 2013, 10:57:57 AM6/5/13
to pwm-g...@googlegroups.com
not sure if this can help, but here is something i found:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa370661%28v=vs.85%29.aspx
thank youhttp://msdn.microsoft.com/en-us/library/windows/desktop/aa370661%28v=vs.85%29.aspx
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CAPAicS9EO%3D4%3DL8%2BxHu7numedfNQ97-Nv7U977zGvnu6-%3DqVmmg%40mail.gmail.com?hl=en-US.
Jason Rivard
Jun 5, 2013, 11:18:44 AM6/5/13
to pwm-general
Unfortunately that API is a Windows API only open to windows desktop programs, of which PWM is not. PWM would need a network level API, ideally one available through LDAP to do the same.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CAEHeYDuXo7SR1hVrNg8G-ZQB1EZ5CCUKBpYiPcCXctXdDp%2BRYQ%40mail.gmail.com?hl=en-US.
Reply all
Reply to author
Forward
0 new messages