Use the following password policy configuration properties to enable a password history:

password-history-count
The maximum number of former passwords to maintain in the history.
password-history-duration
The maximum length of time that former passwords should be stored in the history.

If either of these properties is configured with a nonzero value, then the server maintains a password history for users associated with that password policy.

If a password history is to be maintained, then you might want to also impose a limit on how frequently users are allowed to change their password. Without such a limit, some crafty users might attempt to change their passwords several times in quick succession to purge the password they want to keep from the history so they can re-use it. Configure this limit with the following configuration property:

min-password-age
The minimum length of time that must pass between self password changes. If a user attempts to change their password multiple times within this duration, then the latter attempts are rejected.
Note:

Administrators are able to reset user passwords at any time, regardless of how long it has been since a user has changed their password. It also does not prevent a user from choosing a new password following an administrative reset.

See the config/sample-dsconfig-batch-files/enable-password-history.dsconfig batch file for more information about enabling password history.