Issue 8802 - ldappasswd ppolicy
Summary: ldappasswd ppolicy
Status: VERIFIED INVALID
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: 2.5.0
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-08 09:11 UTC by matsl@irf.se
Modified: 2020-03-25 19:49 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description matsl@irf.se 2018-02-08 09:11:05 UTC 
Full_Name: Mats Luspa
Version: openldap-2.4.40+dfsg
OS: 3.16.0-4-686-pae #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19) i686 GNU/Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:6b0:27:cc:2740:e692:a5b1:4b0f)


Hello!

When you are using ppolicy password changed are recorded in pwdHistory
attribute.

ldappasswd can't be used due to that. It checks of some reason that pwdHistory
not exists before it changes that password. If pwdHistory exists then the
ldappaswd can't change the password.

Here's the log file:

2018-02-08T09:42:45+01:00 mailserver slapd[725]: bdb_modify_internal: replace
userPassword
2018-02-08T09:42:45+01:00 mailserver slapd[725]: bdb_modify_internal: replace
pwdChangedTime
2018-02-08T09:42:45+01:00 mailserver slapd[725]: bdb_modify_internal: add
pwdHistory
2018-02-08T09:42:45+01:00 mailserver slapd[725]: bdb_modify_internal: replace
pwdChangedTime
2018-02-08T09:42:45+01:00 mailserver slapd[725]: bdb_modify_internal: add
pwdHistory
2018-02-08T09:42:45+01:00 mailserver slapd[725]: bdb_modify_internal: 20
modify/add: pwdHistory: value #0 already exists
2018-02-08T09:42:45+01:00 mailserver slapd[725]: send_ldap_result: err=20
matched="" text="modify/add: pwdHistory: value #0 already exists"

/Regards Mats
Comment 1 Quanah Gibson-Mount 2020-03-23 17:32:09 UTC 
May have already been fixed by increasing the resolution of the time field?
Comment 2 Ryan Tandy 2020-03-25 02:01:56 UTC 
I don't understand what's going on here. Why do we see "replace pwdChangedTime" and "add pwdHistory" twice for a single "replace userPassword"? I'm testing exactly the same version as the reporter and those only occur once each for me.

I think this is an invalid configuration, with ppolicy configured _twice_ on the database.

If I do this invalid config:

overlay ppolicy
ppolicy_default cn=ppolicy,dc=example,dc=com

overlay ppolicy
ppolicy_default cn=ppolicy,dc=example,dc=com

then I get that same result:

5e7abb2b mdb_modify_internal: replace userPassword
5e7abb2b mdb_modify_internal: replace pwdChangedTime
5e7abb2b mdb_modify_internal: add pwdHistory
5e7abb2b mdb_modify_internal: replace pwdChangedTime
5e7abb2b mdb_modify_internal: add pwdHistory
5e7abb2b mdb_modify_internal: 20 modify/add: pwdHistory: value #0 already exists
5e7abb2b mdb_modify: modify failed (20)

Mats, can you please confirm this was a configuration error and we can close it?
Comment 3 matsl@irf.se 2020-03-25 19:47:03 UTC 
Hello,

This was long time ago so I had forgotten this. But you are correct. I had ppolicy configured twice.

I'm sorry for the inconvenience. 

You can close this report.

/Regards Mats