Thanks, I will try with 2.4.41 and let you know. I may not get a chance
to test until this weekend.
Relevant output from slapcat:
dn: uid=ian,ou=UserAccounts,o=cwa
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: ldapPublicKey
givenName: Ian
displayName: Ian Bishop
uid: ian
homeDirectory: /home/ian
loginShell: /bin/bash
cn: Ian Bishop
structuralObjectClass: inetOrgPerson
entryUUID: 767c952c-c867-1034-933d-53d15af42765
creatorsName: cn=admin,o=cwa
createTimestamp: 20150727045535Z
gidNumber: 1000
sn: Bishop
uidNumber: 10000
userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
pwdChangedTime: 20150729140556Z
pwdHistory:
20150729140556Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}xxxxxxxxxx
entryCSN: 20150729140556.659729Z#000000#000#000000
modifiersName: cn=admin,o=cwa
modifyTimestamp: 20150729140556Z
dn: cn=passwordDefault,ou=policies,o=cwa
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordDefault
sn: passwordDefault
pwdAttribute: userPassword
pwdCheckQuality: 0
pwdMinAge: 0
pwdMaxAge: 0
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: TRUE
structuralObjectClass: person
entryUUID: 3314dc02-ca3f-1034-825a-9d42205b22be
creatorsName: cn=config
createTimestamp: 20150729131225Z
pwdMinLength: 6
pwdLockoutDuration: 300
pwdInHistory: 1
entryCSN: 20150729135535.164545Z#000000#000#000000
modifiersName: cn=admin,o=cwa
modifyTimestamp: 20150729135535Z
On 30/07/15 03:01, Michael Ströder wrote:
> porjo38(a)yahoo.com.au wrote:
>> Using password policy overlay, pwdMinLength is not checked when pwdInHistory ==
>> 0.
>
> I tried to reproduce this with my local OpenLDAP 2.4.41 installation.
> In one case I thought to see this but I could not reproduce all the time.
> Maybe there's another condition for this to happen.
>
> Could you please also test with release 2.4.41?
>
> And please also post the entry with the password (and relevant pwd* attrs) and
> the pwdPolicy entry used, both as LDIF (minus sensitive data).
>
> Ciao, Michael.
>