Hello,
I'm running openldap with password policy overlay. after the overlay installation and configuration, we cannot change the passwords anymore.
Michael Ströder told that an LDAP modify request should resolve this issue, but it didn't help.
[root@ldapsrv ~]# ldappasswd -e ppolicy -D cn=username,dc=domain,dc=tld -S -W New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password policy only allows one password value control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAA= ppolicy:
This is the log:
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 ACCEPT from IP=192.168.41.41:48899 (IP=0.0.0.0:636) Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 TLS established tls_ssf=256 ssf=256 Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 BIND dn="cn= username,dc=domain,dc=tld" method=128 Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 BIND dn="cn= username,dc=domain,dc=tld" mech=SIMPLE ssf=0 Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 RESULT tag=97 err=0 text= Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 PASSMOD new Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 RESULT oid= err=19 text=Password policy only allows one password value Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=2 UNBIND Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 closed
this is my default password policy:
dn: cn=password-policy,dc=policies,dc=domain,dc=tld
objectClass: person
objectClass: pwdPolicy
objectClass: top
cn: password-policy
pwdAttribute: userPassword
sn: Default Password Policy
pwdAllowUserChange: TRUE
pwdExpireWarning: 604800
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 7200
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 180
pwdMinLength: 8
pwdMustChange: TRUE
this is my password policy configuration:
dn: olcOverlay=ppolicy,dc=policies,dc=domain,dc=tld
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
objectClass: top
olcOverlay: ppolicy
olcPPolicyDefault: cn=password-policy,dc=policies,dc=domain,dc=tld
olcPPolicyUseLockout: TRUE
Thanks in advance for any reply,
Marco