We have IDM 4.5.3 running on Windows. We have a password policy
assigned in eDirectory that requires unique passwords with a history
list size of 5.

When going to change passwords it seems that eDir is keeping my last 6
passwords in history instead of 5. Below is an example of what I see
when trying to change user passwords with this password policy.

Password1 (starting value)
Password2 (second value)
Password1 (previously used message)
Password3 (third value)
Password1 (previously used message)
Password4 (fourth value)
Password1 (previously used message)
Password5 (fifth value)

Now at this point my history should be full which would be the expected
and desired value of passwords 1-5.

If I try Password1 at this point I do still get the previously used
message which is true. That is still one of the last 5 passwords.
However, if I follow the same pattern as above this is the behavior I

Password1 (previously used message - still correct)
Password6 (sixth value)
Password1 (previously used message - incorrect)
Password7 (seventh value)
Password1 (eigth value - can finally re-use that value)

At first glance it seems that the policy is calculating the current
password + the 5 previous passwords so the history is a total of 6
values. However, if I set the password policy history size to 4 it
works as expected.

What am I missing here?

gdrtx's Profile: https://forums.netiq.com/member.php?userid=1660
View this thread: https://forums.netiq.com/showthread.php?t=56760