Hello,
i'm running openldap with password policy overlay. after the overlay installation and configuration, we cannot change the passwords anymore.
ldappasswd -D cn=username,dc=domain,dc=tld -S -W
New password: ********
Re-enter new password: ********
Enter LDAP Password: ********
Result: Constraint violation (19)
Additional info: Password policy only allows one password value
this is my default password policy:
dn: cn=password-policy,dc=policies,dc=domain,dc=tld
objectClass: person
objectClass: pwdPolicy
objectClass: top
cn: password-policy
pwdAttribute: userPassword
sn: Default Password Policy
pwdAllowUserChange: TRUE
pwdExpireWarning: 604800
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 7200
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 180
pwdMinLength: 8
pwdMustChange: TRUE
this is my password policy configuration:
dn: olcOverlay=ppolicy,dc=policies,dc=domain,dc=tld
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
objectClass: top
olcOverlay: ppolicy
olcPPolicyDefault: cn=password-policy,dc=policies,dc=domain,dc=tld
olcPPolicyUseLockout: TRUE
Does anyone know what to do?
Thanks in advance for any reply,
Marco
Marco Weber wrote:
|ldappasswd -D cn=username,dc=domain,dc=tld -S -W |
|New password: ******** |
|Re-enter new password: ******** |
|Enter LDAP Password: ******** |
|Result: Constraint violation (19) |
|Additional info: Password policy only allows one password value |
I experienced the same issue with slapo-ppolicy in effect. I suspect it's caused if password-hash configuration directive was changed but up to now I did not dig any deeper.
It helps to have some software at hand which sends an appropriate ModifyRequest with MOD_REPLACE userPassword attribute value with updated password hash scheme. After that the Password Modify Extended Operation (like used by ldappasswd) works again.
Ciao, Michael.
Hello,
Indeed, I've changed the olcPasswordHash setting. And what kind of software "sends an appropriate ModifyRequest with MOD_REPLACE" ?
Ldapmodify -D cn=username,dc=domain,dc=tld -W dn: cn=username,dc=domain,dc=tld changetype: modify replace: userPassword userPassword: TheNewValue
Is this a MOD_REPLACE request?
Best regards, Marco Weber
-----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Sonntag, 16. Oktober 2011 20:22 To: Marco Weber Cc: openldap-technical@openldap.org Subject: Re: password-policy configuration problems: cannot change passwords
Marco Weber wrote:
|ldappasswd -D cn=username,dc=domain,dc=tld -S -W |
|New password: ******** |
|Re-enter new password: ******** |
|Enter LDAP Password: ******** |
|Result: Constraint violation (19) |
|Additional info: Password policy only allows one password value |
I experienced the same issue with slapo-ppolicy in effect. I suspect it's caused if password-hash configuration directive was changed but up to now I did not dig any deeper.
It helps to have some software at hand which sends an appropriate ModifyRequest with MOD_REPLACE userPassword attribute value with updated password hash scheme. After that the Password Modify Extended Operation (like used by ldappasswd) works again.
Ciao, Michael.
Marco Weber wrote:
Indeed, I've changed the olcPasswordHash setting. And what kind of software "sends an appropriate ModifyRequest with MOD_REPLACE" ?
Ldapmodify -D cn=username,dc=domain,dc=tld -W dn: cn=username,dc=domain,dc=tld changetype: modify replace: userPassword userPassword: TheNewValue
Is this a MOD_REPLACE request?
Yes, this is correct. You can use slappasswd to generate pre-hashed passwords and put it in the LDIF as TheNewValue.
Ciao, Michael.
Ok, I've changed the password: ldapmodify -D cn=username,dc=domain,dc=tld -W dn: cn=username,dc=domain,dc=tld changetype: modify replace: userPassword userPassword: TheNewValue
then i tried to change the password using ldappasswd: ldappasswd -D cn=username,dc=domain,dc=tld -S -W New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password policy only allows one password value
It seems like it didn't help. I think it must be something else.
this is my default password policy: dn: cn=password-policy,dc=policies,dc=domain,dc=tld objectClass: person objectClass: pwdPolicy objectClass: top cn: password-policy pwdAttribute: userPassword sn: Default Password Policy pwdAllowUserChange: TRUE pwdExpireWarning: 604800 pwdInHistory: 3 pwdLockout: TRUE pwdLockoutDuration: 7200 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 180 pwdMinLength: 8 pwdMustChange: TRUE
this is my password policy configuration: dn: olcOverlay=ppolicy,dc=policies,dc=domain,dc=tld objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcPPolicyConfig objectClass: top olcOverlay: ppolicy olcPPolicyDefault: cn=password-policy,dc=policies,dc=domain,dc=tld olcPPolicyUseLockout: TRUE
And I'm using openldap on RHEL: Name : openldap-servers Arch : x86_64 Version : 2.4.23 Release : 15.el6_1.3
From repo : rhel-x86_64-server-6
-----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Mittwoch, 26. Oktober 2011 20:35 To: Marco Weber Cc: openldap-technical@openldap.org Subject: Re: password-policy configuration problems: cannot change passwords
Marco Weber wrote:
Indeed, I've changed the olcPasswordHash setting. And what kind of software "sends an appropriate ModifyRequest with MOD_REPLACE" ?
Ldapmodify -D cn=username,dc=domain,dc=tld -W dn: cn=username,dc=domain,dc=tld changetype: modify replace: userPassword userPassword: TheNewValue
Is this a MOD_REPLACE request?
Yes, this is correct. You can use slappasswd to generate pre-hashed passwords and put it in the LDIF as TheNewValue.
Ciao, Michael.
Marco Weber wrote:
Ok, I've changed the password: ldapmodify -D cn=username,dc=domain,dc=tld -W dn: cn=username,dc=domain,dc=tld changetype: modify replace: userPassword userPassword: TheNewValue
then i tried to change the password using ldappasswd: ldappasswd -D cn=username,dc=domain,dc=tld -S -W New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password policy only allows one password value
What was TheNewValue? If you have password-hash {SSHA} this has to be a pre-hashed password. Use slappasswd to generate one.
Ciao, Michael.
I've used slapppasswd. The password was something like: {SSHA}xxxxxxxxxxxxxxxx
Some time ago, before having applied the password policy settings, i've changed the olcPasswordHash FROM {MD5} to {SSHA}. Almost all users should now have {SSHA} passwords.
-----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Donnerstag, 27. Oktober 2011 09:20 To: Marco Weber Cc: openldap-technical@openldap.org Subject: Re: password-policy configuration problems: cannot change passwords
Marco Weber wrote:
Ok, I've changed the password: ldapmodify -D cn=username,dc=domain,dc=tld -W dn: cn=username,dc=domain,dc=tld changetype: modify replace: userPassword userPassword: TheNewValue
then i tried to change the password using ldappasswd: ldappasswd -D cn=username,dc=domain,dc=tld -S -W New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password policy only allows one password value
What was TheNewValue? If you have password-hash {SSHA} this has to be a pre-hashed password. Use slappasswd to generate one.
Ciao, Michael.
openldap-technical@openldap.org
-
Marco Weber -
Michael Ströder