[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: password policy error: Password policy only allows one password value
- To: openldap-technical@openldap.org
- Subject: Re: password policy error: Password policy only allows one password value
- From: Joke de Buhr <joke@seiken.de>
- Date: Fri, 14 Jun 2013 17:24:23 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seiken.de; s=google; h=from:to:subject:date:message-id:user-agent:in-reply-to:references :mime-version:content-transfer-encoding:content-type; bh=faBJJCrN5Dpum+0pxf16KnBWSaeQTbY4h4iH/y9+X8Y=; b=Pzd2ojF9XLp5X/jAGuZ9Cjp8yqUG3rSd+UTObfrChlULXBRE7NKkDBQ/tJJRpUs47V HpZ/4K1twbVfb2oxBhWnsoIzX1pj21NVbbsaULnTW9KKZ3IUonLADvaJbKiLCddlEFaJ klyUGEJkKNXwT5nB8AkYWoxIfjW9efkvyQ/ZM=
- In-reply-to: <85699165.WSsozFVyDn@oberon>
- References: <85699165.WSsozFVyDn@oberon>
- User-agent: KMail/4.10.4 (Linux/3.9.5-201.fc18.x86_64; KDE/4.10.4; x86_64; ; )
Hi,
think I found the reason why changing the password didn't work and I think
it's a bug.
If the password policy overlay is used slapd needs to be restarted every time
the olcPasswordHash parameter changes.
For example change the olcPasswordHash from {SHA} to {SSHA}. Changing the
password via ldappasswd now causes the error mentioned below. Just restart
slapd and the password can be changed again by ldappasswd.
Change the olcPasswordHash back from {SSHA} to {SHA} ldappasswd can't change
the password until slapd is restarted once more.
Changing the olcPasswordHash and immediately changing it back without a
restart doesn't work either.
Regards
Joke
On Thursday 13 June 2013 23:40:37 you wrote:
> Hi,
>
> I activated the password policy overlay but every time I try to update the
> password using ldappassw I get this error message:
>
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> Result: Constraint violation (19)
> Additional info: Password policy only allows one password value
>
> The user account has it attribute pwdPolicySubentry set to the policy listed
> below. The original account had multiple userPassword values with different
> hashes but I deleting every attribute userPassword but the last one didn't
> help. Deleting all userPassword attributes didn't work either. ldappasswd
> always returns the error.
>
> Any idea what causes the problem or what setting to check?
>
>
> Regards
> Joke
>
>
> ----------------------------------------------------------------------------
> -
>
> dn: cn=person,ou=policies,dc=seiken,dc=de
> objectClass: top
> objectClass: person
> objectClass: pwdPolicy
> cn: person
> pwdAttribute: userPassword
> sn: -none-
> description: password policy designed for real people logins
> pwdAllowUserChange: TRUE
> pwdCheckQuality: 1
> pwdExpireWarning: 2592000
> pwdFailureCountInterval: 5
> pwdGraceAuthNLimit: 3
> pwdInHistory: 5
> pwdLockout: TRUE
> pwdLockoutDuration: 3600
> pwdMaxAge: 7776000
> pwdMaxFailure: 60
> pwdMinAge: 0
> pwdMinLength: 5
> pwdMustChange: TRUE
> pwdSafeModify: FALSE
>
> ----------------------------------------------------------------------------
> -