We have passwordHistory enabled on our directory. When a user tries to
change his own password to a value already in his personal password
history, it prevents him from (re)setting that same password, which is
desired.
However, I'm working on a password synchronization service that will
always need to be able to set the users password to a newly specified
value, even if that value is already in the history. If this service is
binding with an admin-level account, then I'd expect it to be able to do
so, but instead it's also prevented from setting the password if it's
already in the history. Even if I bind with 'cn=directory manager'
(which I would think should be able to do anything it wants), I cannot
set the password of it already exists in the history.
Is there any particular trick to making this work? I'm hoping there's
an ACI I set set for this, or (probably less likely) an option somewhere
that I need to toggle. Or is this just a bug I'm encountering? Other
directory products I'm familiar with (including Active Directory, for
example) do allow administrators to override password history if needed
when resetting passwords, so I'd expect that to be the case here as well.
Thanks. Any suggestions would be most appreciated.
--
Jared