I am creating a java webapplication which enables users to change their
password if they have forgotten it. It uses their login and their social
security number to validate and then sends a SMS to the users phone,
which they type in, and are then able to reset their password.

Now, everything actually works, except one thing. Since the user has
forgot their password, I am not able to use their own user to reset it,
since I can't authenticate with that user. So I am currently resetting
the password with the admin user, via an LDAP call. The problem is, that
the admin user is allowed to set a password that is the same as it was
before, or passwords which was used not long ago, even though my
password policy says this is not allowed.

So my question is: Is it possible to create a user, which only has the
ability to change passwords on users, and is NOT allowed to change it if
it attempts to reset the password to what is was before or is right now.
Which attribute(s) should it have permissions to edit and view, to be
able to do this?

Thanks in advance,


jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=47924