Full_Name: Mats Luspa Version: openldap-2.4.40+dfsg OS: 3.16.0-4-686-pae #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19) i686 GNU/Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:6b0:27:cc:2740:e692:a5b1:4b0f) Hello! When you are using ppolicy password changed are recorded in pwdHistory attribute. ldappasswd can't be used due to that. It checks of some reason that pwdHistory not exists before it changes that password. If pwdHistory exists then the ldappaswd can't change the password. Here's the log file: 2018-02-08T09:42:45+01:00 mailserver slapd[725]: bdb_modify_internal: replace userPassword 2018-02-08T09:42:45+01:00 mailserver slapd[725]: bdb_modify_internal: replace pwdChangedTime 2018-02-08T09:42:45+01:00 mailserver slapd[725]: bdb_modify_internal: add pwdHistory 2018-02-08T09:42:45+01:00 mailserver slapd[725]: bdb_modify_internal: replace pwdChangedTime 2018-02-08T09:42:45+01:00 mailserver slapd[725]: bdb_modify_internal: add pwdHistory 2018-02-08T09:42:45+01:00 mailserver slapd[725]: bdb_modify_internal: 20 modify/add: pwdHistory: value #0 already exists 2018-02-08T09:42:45+01:00 mailserver slapd[725]: send_ldap_result: err=20 matched="" text="modify/add: pwdHistory: value #0 already exists" /Regards Mats
May have already been fixed by increasing the resolution of the time field?
I don't understand what's going on here. Why do we see "replace pwdChangedTime" and "add pwdHistory" twice for a single "replace userPassword"? I'm testing exactly the same version as the reporter and those only occur once each for me. I think this is an invalid configuration, with ppolicy configured _twice_ on the database. If I do this invalid config: overlay ppolicy ppolicy_default cn=ppolicy,dc=example,dc=com overlay ppolicy ppolicy_default cn=ppolicy,dc=example,dc=com then I get that same result: 5e7abb2b mdb_modify_internal: replace userPassword 5e7abb2b mdb_modify_internal: replace pwdChangedTime 5e7abb2b mdb_modify_internal: add pwdHistory 5e7abb2b mdb_modify_internal: replace pwdChangedTime 5e7abb2b mdb_modify_internal: add pwdHistory 5e7abb2b mdb_modify_internal: 20 modify/add: pwdHistory: value #0 already exists 5e7abb2b mdb_modify: modify failed (20) Mats, can you please confirm this was a configuration error and we can close it?
Hello, This was long time ago so I had forgotten this. But you are correct. I had ppolicy configured twice. I'm sorry for the inconvenience. You can close this report. /Regards Mats