RE: password-policy configuration problems: cannot change passwords

Ok, I've changed the password: ldapmodify -D cn=username,dc=domain,dc=tld -W dn: cn=username,dc=domain,dc=tld changetype: modify replace: userPassword userPassword: TheNewValue

then i tried to change the password using ldappasswd: ldappasswd -D cn=username,dc=domain,dc=tld -S -W New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password policy only allows one password value

It seems like it didn't help. I think it must be something else.

this is my default password policy: dn: cn=password-policy,dc=policies,dc=domain,dc=tld objectClass: person objectClass: pwdPolicy objectClass: top cn: password-policy pwdAttribute: userPassword sn: Default Password Policy pwdAllowUserChange: TRUE pwdExpireWarning: 604800 pwdInHistory: 3 pwdLockout: TRUE pwdLockoutDuration: 7200 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 180 pwdMinLength: 8 pwdMustChange: TRUE

this is my password policy configuration: dn: olcOverlay=ppolicy,dc=policies,dc=domain,dc=tld objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcPPolicyConfig objectClass: top olcOverlay: ppolicy olcPPolicyDefault: cn=password-policy,dc=policies,dc=domain,dc=tld olcPPolicyUseLockout: TRUE

And I'm using openldap on RHEL: Name : openldap-servers Arch : x86_64 Version : 2.4.23 Release : 15.el6_1.3

From repo : rhel-x86_64-server-6

-----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Mittwoch, 26. Oktober 2011 20:35 To: Marco Weber Cc: openldap-technical@openldap.org Subject: Re: password-policy configuration problems: cannot change passwords

Marco Weber wrote:

Indeed, I've changed the olcPasswordHash setting. And what kind of software "sends an appropriate ModifyRequest with MOD_REPLACE" ?

Ldapmodify -D cn=username,dc=domain,dc=tld -W dn: cn=username,dc=domain,dc=tld changetype: modify replace: userPassword userPassword: TheNewValue

Is this a MOD_REPLACE request?

Yes, this is correct. You can use slappasswd to generate pre-hashed passwords and put it in the LDIF as TheNewValue.

Ciao, Michael.