From a4046414b634e027f646be58502f3af2ea2329f0 Mon Sep 17 00:00:00 2001
From: Andy Ning <andy.ning@windriver.com>
Date: Mon, 26 Apr 2021 16:22:26 -0400
Subject: [PATCH] Enforce "cannot reuse the last 2 passwords" for ks users

Currently the "unique_last_password_count" attribute in keystone
configuration is set to "2", which enforces "cannot reuse the last
1 passwords" in history instead of "cannot reuse the last 2 passwords"
stated in security document.

This update changed "unique_last_password_count" attribute to "3" so
that keystone users password change rule complies with the document.

Closes-Bug: 1924772
Change-Id: I6a2de54336c7253022d49ecb118a315a7825c889
Signed-off-by: Andy Ning <andy.ning@windriver.com>
---
 openstack/python-keystone/centos/files/password-rules.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/openstack/python-keystone/centos/files/password-rules.conf b/openstack/python-keystone/centos/files/password-rules.conf
index a110cd4b..e7ce6560 100644
--- a/openstack/python-keystone/centos/files/password-rules.conf
+++ b/openstack/python-keystone/centos/files/password-rules.conf
@@ -18,7 +18,7 @@
 # feature, values must be greater than 1. This feature depends on the `sql`
 # backend for the `[identity] driver`. (integer value)
 # Minimum value: 1
-unique_last_password_count = 2
+unique_last_password_count = 3
 
 # The regular expression used to validate password strength requirements. By
 # default, the regular expression will match any password. The following is an