Quote Originally Posted by alexmchugh View Post
nicolasosorio wrote:

> Hi everyone,
> The documentation for eDir 9 says:
> > The password cannot contain the full value of the CN attribute or full
> > or any part of the value of the Full Name attribute for the account, if
> > the attribute contains at least three characters and is a single word. A
> > part of the attribute value is defined as three or more consecutive
> > characters delimited on both ends by the following characters: commas;
> > periods; dashes; hyphens; underscores; spaces; pound signs; or tabs.

> But when we set the Microsoft Server 2008 Password Policy, the rule I
> quoted before is not working.
> For example, we have a user which CN is johnp, and his fullName is PAUL
> John, if I set to him the password "Paul2019" the rule works and the
> password is not setted because of "Paul", but if I set "Pau2009"
> (supposing the minimum length is 7 characters), the rule doesn't work
> and the password is setted.

I don't think you are reading the AD spec properly. Do you claim that AD
rejects this password or that you think NMAS should reject this password?

If the user's name is Paul John and the CN is johnp then the following strings
are illegal as fragements of the password:

Fragment 1: Paul
Fragment 2: John
Fragment 3: johnp

Fragments like Pau or ohn or Joh are not bounded on both sides by "commas;
periods; dashes; hyphens; underscores; spaces; pound signs; or tabs" in the
input data so they are not considered by the AD 2008 password complexity.

If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below

Hi alexmchugh, thanks for the answer, you are right, I was not understading the AD spec properly.