Full_Name: Ian Bishop Version: 2.4.39 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:388:e001:ce00:f2de:f1ff:fea7:d755) Using password policy overlay, pwdMinLength is not checked when pwdInHistory == 0. I tested this by setting pwdMinLength=6 and pwdInHistory=0. I was then able to set a 3 character password. When I changed pwdInHistory > 0 and tried to set a 3 charactepapassword, the attempt was denied. I repeated this several times, and also restarted slapd just in case - same result. Running Openldap 2.4.39 on Centos7, installed from Centos RPM repo.
porjo38@yahoo.com.au wrote: > Using password policy overlay, pwdMinLength is not checked when pwdInHistory == > 0. I tried to reproduce this with my local OpenLDAP 2.4.41 installation. In one case I thought to see this but I could not reproduce all the time. Maybe there's another condition for this to happen. Could you please also test with release 2.4.41? And please also post the entry with the password (and relevant pwd* attrs) and the pwdPolicy entry used, both as LDIF (minus sensitive data). Ciao, Michael.
Thanks, I will try with 2.4.41 and let you know. I may not get a chance to test until this weekend. Relevant output from slapcat: dn: uid=ian,ou=UserAccounts,o=cwa objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: ldapPublicKey givenName: Ian displayName: Ian Bishop uid: ian homeDirectory: /home/ian loginShell: /bin/bash cn: Ian Bishop structuralObjectClass: inetOrgPerson entryUUID: 767c952c-c867-1034-933d-53d15af42765 creatorsName: cn=admin,o=cwa createTimestamp: 20150727045535Z gidNumber: 1000 sn: Bishop uidNumber: 10000 userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx pwdChangedTime: 20150729140556Z pwdHistory: 20150729140556Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}xxxxxxxxxx entryCSN: 20150729140556.659729Z#000000#000#000000 modifiersName: cn=admin,o=cwa modifyTimestamp: 20150729140556Z dn: cn=passwordDefault,ou=policies,o=cwa objectClass: pwdPolicy objectClass: person objectClass: top cn: passwordDefault sn: passwordDefault pwdAttribute: userPassword pwdCheckQuality: 0 pwdMinAge: 0 pwdMaxAge: 0 pwdMaxFailure: 3 pwdFailureCountInterval: 0 pwdLockout: TRUE pwdAllowUserChange: TRUE pwdExpireWarning: 0 pwdGraceAuthNLimit: 0 pwdMustChange: FALSE pwdSafeModify: TRUE structuralObjectClass: person entryUUID: 3314dc02-ca3f-1034-825a-9d42205b22be creatorsName: cn=config createTimestamp: 20150729131225Z pwdMinLength: 6 pwdLockoutDuration: 300 pwdInHistory: 1 entryCSN: 20150729135535.164545Z#000000#000#000000 modifiersName: cn=admin,o=cwa modifyTimestamp: 20150729135535Z On 30/07/15 03:01, Michael Ströder wrote: > porjo38@yahoo.com.au wrote: >> Using password policy overlay, pwdMinLength is not checked when pwdInHistory == >> 0. > > I tried to reproduce this with my local OpenLDAP 2.4.41 installation. > In one case I thought to see this but I could not reproduce all the time. > Maybe there's another condition for this to happen. > > Could you please also test with release 2.4.41? > > And please also post the entry with the password (and relevant pwd* attrs) and > the pwdPolicy entry used, both as LDIF (minus sensitive data). > > Ciao, Michael. >
I've attempted to test with OpenLDAP 2.4.41 but cannot get password changing to work at all, constantly getting error: "passwd: Authentication token manipulation error" Unfortunately, I cannot spend more time on this now. On 30/07/15 03:01, Michael Ströder wrote: > porjo38@yahoo.com.au wrote: >> Using password policy overlay, pwdMinLength is not checked when pwdInHistory == >> 0. > > I tried to reproduce this with my local OpenLDAP 2.4.41 installation. > In one case I thought to see this but I could not reproduce all the time. > Maybe there's another condition for this to happen. > > Could you please also test with release 2.4.41? > > And please also post the entry with the password (and relevant pwd* attrs) and > the pwdPolicy entry used, both as LDIF (minus sensitive data). > > Ciao, Michael. >
IanB wrote: > I've attempted to test with OpenLDAP 2.4.41 but cannot get password changing > to work at all, constantly getting error: "passwd: Authentication token > manipulation error" Greping through the source this message is output from slapo-nssov. Are you sure that you re-built and installed slapo-nssov from 2.4.41? Also you should always first test with ldappasswd command-line tool to avoid false interaction with other software. What else do you have configured? > Unfortunately, I cannot spend more time on this now. What does that mean? If you don't want to work on this ITS any further it's probably the best to close it. Ciao, Michael.
Inability to reproduce, may have mixed versions. Would need demonstrable test case and configs with current OpenLDAP release