[python-ldap] Password history / password policy

Michael Ströder michael at stroeder.com
Wed Feb 15 11:04:56 EST 2017 

Joey,

basically your LDAP server (MS AD?) is responsible for enforcing all password policy
rules including password history check. Hence it's not really a python-ldap question.

So I'd recommend to simply test it.

Ciao, Michael.

P.S.: Please subscribe to the low-traffic mailing list so I don't have to accept your
postings manually and to avoid missing a response.

Joey Hendricks wrote:
> Hi guys,
> 
> I,m busy with the Python-Ldap module and i,m running into a bit of trouble
> with my company's password policy.
> We dont want a user to be able to reset his password to a password he has
> used before we have set our password policy the following way:
> 
> Enforce password history                                 :   24 passwords
> remembered
> Maximum password age                                  :   42 days
> Minimum password age                                   :   1 days
> Minimum password length                                :   8 characters
> Password must meet complexity requirements  :    Disabled
> 
> 
> i,m using the following Pyhton code to change the password
> 
>             server = LDAP_IP
>             ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,
> ldap.OPT_X_TLS_NEVER)
>             conn = ldap.initialize(server)
>             conn.set_option(ldap.OPT_REFERRALS, 0)
>             conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
>             conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)
>             conn.set_option(ldap.OPT_X_TLS_DEMAND, True)
>             conn.set_option(ldap.OPT_DEBUG_LEVEL, 4095)
>             conn.simple_bind_s(base64.b64decode(BIND_DN),
> base64.b64decode(BIND_PASS))
>             password_value1 = '"{0}\"'.format(pwd).encode("utf-16-le")
>             add_pass = [(ldap.MOD_REPLACE, "UnicodePwd", password_value1)]
>             conn.modify_s(CN_NAME, add_pass)
>             conn.unbind_s()"
> 
> Or is there a way that the ad wont change the password if the password has
> been used before.
> 
> So that I completely obey my password policy.
> 
> I hope someone can help me
> 
> Kind regards
> 
> Joey Hendricks

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20170215/43446d98/attachment-0001.bin>

More information about the python-ldap mailing list