[Date Prev][Date Next] [Chronological] [Thread] [Top]

can't delete userPassword when ppolicy is used


Not sure if this it intended or not, but it seems to be impossible to delete 
the userPassword attribute from an entry if the ppolicy overlay is loaded.

I found this out when I accidentally added a userPassword attribute to a 
posixGroup entry and discovered I could no longer remove it:

$ ldapmodify -x -D cn=manager,dc=example,dc=com -w secret
dn: cn=ldapusers,ou=group,dc=example,dc=com
changetype: modify
delete: userpassword

modifying entry "cn=ldapusers,ou=group,dc=example,dc=com"
ldap_modify: Internal (implementation specific) error (80)
        additional info: Internal Error

If I unload the ppolicy overlay, the operation succeeds.

I have a default policy set which only specified the password attribute:
$ ldapsearch -x -LLL -b "ou=Password Policies,dc=example,dc=com"
dn: ou=Password Policies,dc=example,dc=com
ou: Password Policies
objectClass: organizationalUnit
description: Container for OpenLDAP password policies

dn: cn=default,ou=Password Policies,dc=example,dc=com
cn: default
objectClass: pwdPolicy
objectClass: namedObject
pwdAttribute: userPassword