[Date Prev][Date Next] [Chronological] [Thread] [Top]

password-policy configuration problems: cannot change passwords



Hello,

I'm running openldap with password policy overlay. after the overlay installation and configuration, we cannot change the passwords anymore.

Michael Ströder told that an LDAP modify request should resolve this issue, but it didn’t help.

 

[root@ldapsrv ~]# ldappasswd -e ppolicy -D cn=username,dc=domain,dc=tld -S -W

New password:

Re-enter new password:

Enter LDAP Password:

Result: Constraint violation (19)

Additional info: Password policy only allows one password value

control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAA=

ppolicy:

 

 

This is the log:

 

Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 ACCEPT from IP=192.168.41.41:48899 (IP=0.0.0.0:636)

Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 TLS established tls_ssf=256 ssf=256

Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 BIND dn="cn= username,dc=domain,dc=tld" method=128

Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 BIND dn="cn= username,dc=domain,dc=tld" mech=SIMPLE ssf=0

Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 RESULT tag=97 err=0 text=

Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1

Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 PASSMOD new

Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 RESULT oid= err=19 text=Password policy only allows one password value

Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=2 UNBIND

Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 closed

 

this is my default password policy:

dn: cn=password-policy,dc=policies,dc=domain,dc=tld
objectClass: person
objectClass: pwdPolicy
objectClass: top
cn: password-policy
pwdAttribute: userPassword
sn: Default Password Policy
pwdAllowUserChange: TRUE
pwdExpireWarning: 604800
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 7200
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 180
pwdMinLength: 8
pwdMustChange: TRUE
 

this is my password policy configuration:

dn: olcOverlay=ppolicy,dc=policies,dc=domain,dc=tld
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
objectClass: top
olcOverlay: ppolicy
olcPPolicyDefault: cn=password-policy,dc=policies,dc=domain,dc=tld
olcPPolicyUseLockout: TRUE
 

Thanks in advance for any reply,

            Marco