0

I am successful in resetting a user's password, using the adldap http://adldap.sourceforge.net/

Is there a way to detect the password the user is trying to reset to, is the same of the last 5 passwords they have in the password history?

We have a policy of user's not being able to use the same password, for the last 5 passwords active directory keeps history of.

I have spent a few days researching other places and have no luck.

The password reset function resets successfully, but I need it to respect the password history policy.

Brad
  • 12,054
  • 44
  • 118
  • 187
  • Good question - scary use of php ldap, imho. I used read-only ldap app clients or standard redirect ticket-based authentication, requiring the user to go through other "standard" ways to change their password. You can easily implement the complexity policy - no idea on the history! – Matt H Jan 04 '12 at 20:25
  • It asks for two pieces of info to be answered before proceeding with the reset password function, but with it being an admin ad account binding, it ignores the policy. I assume others had the same problem and implemented an automated secure solution. – Brad Jan 04 '12 at 20:45
  • 1
    I googled a bit before commenting and saw similar problems but no solutions. I also looked for some sort of ad webservice to grab the history, no luck. – Matt H Jan 04 '12 at 20:49

1 Answers1

0

The directory server manages the password policy. The application simply needs to trust the directory server to ensure that password history and quality checks are made, and to set result codes in responses accordingly. Applications must never assume details about server implementations (LDAP or otherwise) because this practice creates brittle code that is not robust.

Further, passwords must be transmitted in clear text over a secure connection so that directory server can ensure password history and quality checks can be completed. LDAP interaction in a mission-critical or non-trivial environment should always over over a secure connection.

Terry Gardner
  • 10,957
  • 2
  • 28
  • 38
  • Thanks, it returns error 53 "Server is unwilling to perform" when I enter a password that is 7 characters, the length policy sets the password to be at least 8 characters long, but it ignores the password history policy still. – Brad Jan 10 '12 at 19:51