Hello,

I have two issues. One is I gave myself redundant ppolicy overlays I can't delete. The other is I don't know why I can not reset a user's password.

The first is that in a rush, late at night, I ended up with multiple (duplicate) Password Policy Overlays. I went back and tried to delete these, but:

$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///
dn: olcOverlay={5}ppolicy,olcDatabase={1}hdb,cn=config
changetype: delete
deleting entry "olcOverlay={5}ppolicy,olcDatabase={1}hdb,cn=config"
ldap_delete: Server is unwilling to perform (53)

It looks like this is a known consideration, per http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-overlays and that I'll have to cowboy the server config to get the redundant overlays removed.

root@ldap0:~# slapd -V
@(#) $OpenLDAP: slapd  (Ubuntu) (May 31 2017 21:52:16) $
buildd@lgw01-30:/build/openldap-tnOaja/openldap-2.4.31/debian/build/servers/slapd

Okay, so what is that overlay? Pretty simple stuff:

dn: olcOverlay={2}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {2}ppolicy
olcPPolicyDefault: cn=passwordDefault,ou=Policies,dc=qxxxxxxxxd,dc=com
olcPPolicyHashCleartext: FALSE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE

(But defined four times ... {2..5})

What is the problem, then? The problem is I can not set a user's password.

root@ldap0:~# /usr/bin/ldappasswd -y /etc/ldapscripts/ldapscripts.passwd -D cn=admin,dc=q
xxxxxxxx
d,dc=com -x -H ldap://localhost -T /tmp/ldapsetpasswd uid=zachary,ou=People,dc=q
xxxxxxxx
d,dc=com
Result: No such attribute (16)

Say what?

dn: uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com
structuralObjectClass: account
entryUUID: cd55cc80-f8a5-1037-976e-9da738d41e24
creatorsName: cn=admin,dc=qxxxxxxxxd,dc=com
createTimestamp: 20180530223739Z
pwdFailureTime: 20180530223741Z
pwdFailureTime: 20180530224243Z
pwdFailureTime: 20180530224244Z
pwdFailureTime: 20180530224306Z
pwdFailureTime: 20180530224307Z
pwdFailureTime: 20180530224354Z
pwdFailureTime: 20180530224538Z
pwdFailureTime: 20180530224541Z
entryCSN: 20180530224541.157285Z#000000#000#000000
modifiersName: cn=admin,dc=qxxxxxxxxd,dc=com
modifyTimestamp: 20180530224541Z
entryDN: uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

Maybe the user is locked out?

root@ldap0:~# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -D cn=admin,dc=qxxxxxxxxd,dc=com
dn: uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com
changetype: modify
delete: pwdFailureTime
modifying entry "uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com"
ldap_modify: Constraint violation (19)
additional info: pwdFailureTime: no user modification allowed

Q1: Any bright idea on removing the redundant ppolicy overlays?

Q2: Any bright idea on what's up with resetting zachary's password?

Thanks,
-danny


--
http://dannyman.toldme.com