[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: password-policy configuration problems: cannot change passwords

To: Michael Ströder <michael@stroeder.com>
Subject: RE: password-policy configuration problems: cannot change passwords
From: Marco Weber <marco.weber@mpulse.eu>
Date: Thu, 27 Oct 2011 07:11:58 +0000
Accept-language: de-DE, lb-LU, en-US
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-language: en-US
In-reply-to: <4EA852EC.6010209@stroeder.com>
References: <321E0F3B46E63F4CA96C1E61F0DBEE424B2E8CFA@kant.Nvision.local> <4E9B20B6.4040808@stroeder.com> <321E0F3B46E63F4CA96C1E61F0DBEE424B2EB47B@kant.Nvision.local> <4EA852EC.6010209@stroeder.com>
Thread-index: AcyIvaDyjXrNgbTKR7uueTCNsNFbNwDYg+MAAfZoGVAAAPxsAAAemaQw
Thread-topic: password-policy configuration problems: cannot change passwords

Ok, I've changed the password:
ldapmodify -D cn=username,dc=domain,dc=tld -W
dn: cn=username,dc=domain,dc=tld
changetype: modify
replace: userPassword
userPassword: TheNewValue

then i tried to change the password using ldappasswd:
ldappasswd -D cn=username,dc=domain,dc=tld -S -W
New password:
Re-enter new password:
Enter LDAP Password:
Result: Constraint violation (19)
Additional info: Password policy only allows one password value

It seems like it didn't help.
I think it must be something else.


this is my default password policy:
dn: cn=password-policy,dc=policies,dc=domain,dc=tld
objectClass: person
objectClass: pwdPolicy
objectClass: top
cn: password-policy
pwdAttribute: userPassword
sn: Default Password Policy
pwdAllowUserChange: TRUE
pwdExpireWarning: 604800
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 7200
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 180
pwdMinLength: 8
pwdMustChange: TRUE

this is my password policy configuration:
dn: olcOverlay=ppolicy,dc=policies,dc=domain,dc=tld
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
objectClass: top
olcOverlay: ppolicy
olcPPolicyDefault: cn=password-policy,dc=policies,dc=domain,dc=tld
olcPPolicyUseLockout: TRUE

And I'm using openldap on RHEL:
Name        : openldap-servers
Arch        : x86_64
Version     : 2.4.23
Release     : 15.el6_1.3
>From repo   : rhel-x86_64-server-6


-----Original Message-----
From: Michael Ströder [mailto:michael@stroeder.com] 
Sent: Mittwoch, 26. Oktober 2011 20:35
To: Marco Weber
Cc: openldap-technical@openldap.org
Subject: Re: password-policy configuration problems: cannot change passwords

Marco Weber wrote:
> Indeed, I've changed the olcPasswordHash setting.
> And what kind of software "sends an appropriate ModifyRequest with MOD_REPLACE" ?
> 
> Ldapmodify -D cn=username,dc=domain,dc=tld -W
> dn: cn=username,dc=domain,dc=tld
> changetype: modify
> replace: userPassword
> userPassword: TheNewValue
> 
> Is this a MOD_REPLACE request?

Yes, this is correct. You can use slappasswd to generate pre-hashed passwords and put it in the LDIF as TheNewValue.

Ciao, Michael.

Follow-Ups:
- Re: password-policy configuration problems: cannot change passwords
  - From: Michael Ströder <michael@stroeder.com>

References:
- password-policy configuration problems: cannot change passwords
  - From: Marco Weber <marco.weber@mpulse.eu>
- Re: password-policy configuration problems: cannot change passwords
  - From: Michael Ströder <michael@stroeder.com>
- RE: password-policy configuration problems: cannot change passwords
  - From: Marco Weber <marco.weber@mpulse.eu>
- Re: password-policy configuration problems: cannot change passwords
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Google hits for OpenLDAP
Next by Date: Re: password-policy configuration problems: cannot change passwords
Index(es):
- Chronological
- Thread