Bug 703316

Summary: Fine Grained Password policy: number of passwordInHistory is one less.
Product: [Retired] 389 Reporter: Noriko Hosoi <nhosoi>
Component: Security - Password PolicyAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED NOTABUG QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.2.8CC: benl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-31 20:48:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 512820    

Description Noriko Hosoi 2011-05-10 00:06:48 UTC 
Description of problem:

Steps:
passwordInHistory: 3

Original password is testpassword --> passwd-001
$ ldapmodify -x -h localhost -p 389 -D 'uid=nd,ou=People,dc=example,dc=com' -w testpassword
dn: uid=nd, ou=People, dc=example, dc=com
changetype: modify
replace: userPassword
userPassword: passwd-001

Repeat this as follows:
passwd-001 --> passwd-002
passwd-002 --> passwd-003

$ ldapmodify -x -h localhost -p 389 -D 'uid=nd,ou=People,dc=example,dc=com' -w passwd-003
dn: uid=nd, ou=People, dc=example, dc=com
changetype: modify
replace: userPassword
userPassword: testpassword

modifying entry "uid=nd, ou=People, dc=example, dc=com"
ldap_modify: Constraint violation (19)
	additional info: password in history

Change password one more time.
$ ldapmodify -x -h localhost -p 389 -D 'uid=nd,ou=People,dc=example,dc=com' -w passwd-003
dn: uid=nd, ou=People, dc=example, dc=com
changetype: modify
replace: userPassword
userPassword: passwd-004

Then, try the original password.  It works.
$ ldapmodify -x -h localhost -p 389 -D 'uid=nd,ou=People,dc=example,dc=com' -w passwd-004
dn: uid=nd, ou=People, dc=example, dc=com
changetype: modify
replace: userPassword
userPassword: testpassword

modifying entry "uid=nd, ou=People, dc=example, dc=com"

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/Core_Server_Configuration_Reference.html#cnconfig-passwordInHistory_Number_of_Passwords_to_Remember
3.1.1.127. passwordInHistory (Number of Passwords to Remember)
Indicates the number of passwords the Directory Server stores in history. Passwords that are stored in history cannot be reused by users.
Comment 4 Noriko Hosoi 2011-05-31 20:48:58 UTC 
It turned out DS is behaving correctly.  Closing as NOTABUG.