Hello,

I have two issues. One is I gave myself redundant ppolicy overlays I can't delete. The other is I don't know why I can not reset a user's password.

The first is that in a rush, late at night, I ended up with multiple (duplicate) Password Policy Overlays. I went back and tried to delete these, but:

$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///

dn: olcOverlay={5}ppolicy,olcDatabase={1}hdb,cn=config

changetype: delete

deleting entry "olcOverlay={5}ppolicy,olcDatabase={1}hdb,cn=config"

ldap_delete: Server is unwilling to perform (53)

It looks like this is a known consideration, per http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-overlays and that I'll have to cowboy the server config to get the redundant overlays removed.

root@ldap0:~# slapd -V

@(#) $OpenLDAP: slapd (Ubuntu) (May 31 2017 21:52:16) $

buildd@lgw01-30:/build/openldap-tnOaja/openldap-2.4.31/debian/build/servers/slapd

Okay, so what is that overlay? Pretty simple stuff:

dn: olcOverlay={2}ppolicy,olcDatabase={1}hdb,cn=config

objectClass: olcOverlayConfig

objectClass: olcPPolicyConfig

olcOverlay: {2}ppolicy

olcPPolicyDefault: cn=passwordDefault,ou=Policies,dc=qxxxxxxxxd,dc=com

olcPPolicyHashCleartext: FALSE

olcPPolicyUseLockout: FALSE

olcPPolicyForwardUpdates: FALSE

(But defined four times ... {2..5})

What is the problem, then? The problem is I can not set a user's password.

root@ldap0:~# /usr/bin/ldappasswd -y /etc/ldapscripts/ldapscripts.passwd -D cn=admin,dc=q
xxxxxxxx
d,dc=com -x -H ldap://localhost -T /tmp/ldapsetpasswd uid=zachary,ou=People,dc=q
xxxxxxxx
d,dc=com

Result: No such attribute (16)

Say what?

dn: uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com

structuralObjectClass: account

entryUUID: cd55cc80-f8a5-1037-976e-9da738d41e24

creatorsName: cn=admin,dc=qxxxxxxxxd,dc=com

createTimestamp: 20180530223739Z

pwdFailureTime: 20180530223741Z

pwdFailureTime: 20180530224243Z

pwdFailureTime: 20180530224244Z

pwdFailureTime: 20180530224306Z

pwdFailureTime: 20180530224307Z

pwdFailureTime: 20180530224354Z

pwdFailureTime: 20180530224538Z

pwdFailureTime: 20180530224541Z

entryCSN: 20180530224541.157285Z#000000#000#000000

modifiersName: cn=admin,dc=qxxxxxxxxd,dc=com

modifyTimestamp: 20180530224541Z

entryDN: uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com

subschemaSubentry: cn=Subschema

hasSubordinates: FALSE

Maybe the user is locked out?

root@ldap0:~# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -D cn=admin,dc=qxxxxxxxxd,dc=com

dn: uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com

changetype: modify

delete: pwdFailureTime

modifying entry "uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com"

ldap_modify: Constraint violation (19)

additional info: pwdFailureTime: no user modification allowed

Q1: Any bright idea on removing the redundant ppolicy overlays?

Q2: Any bright idea on what's up with resetting zachary's password?

Thanks,

-danny

http://dannyman.toldme.com