Duplicate Password Policies and Can Not Rest User Password - openldap-technical

30 May 2018


      Hello,
I have two issues. One is I gave myself redundant *ppolicy* overlays I
can't delete. The other is I don't know why I can not reset a user's
password.
The first is that in a rush, late at night, I ended up with multiple
(duplicate) Password Policy Overlays. I went back and tried to delete
these, but:
$ *sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///*
dn: olcOverlay={5}ppolicy,olcDatabase={1}hdb,cn=config
changetype: delete
deleting entry "olcOverlay={5}ppolicy,olcDatabase={1}hdb,cn=config"
ldap_delete: Server is unwilling to perform (53)
It looks like this is a known consideration, per
http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-overlays and
that I'll have to cowboy the server config to get the redundant overlays
removed.
root@ldap0:~# *slapd -V*
@(#) $OpenLDAP: slapd  (Ubuntu) (May 31 2017 21:52:16) $
buildd@lgw01-30
:/build/openldap-tnOaja/openldap-2.4.31/debian/build/servers/slapd
Okay, so what is that overlay? Pretty simple stuff:
dn: olcOverlay={2}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {2}ppolicy
olcPPolicyDefault: cn=passwordDefault,ou=Policies,dc=qxxxxxxxxd,dc=com
olcPPolicyHashCleartext: FALSE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
(But defined four times ... {2..5})
What is the problem, then? The problem is I can not set a user's password.
root@ldap0:~#
*/usr/bin/ldappasswd -y /etc/ldapscripts/ldapscripts.passwd -D
cn=admin,dc=qxxxxxxxxd,dc=com -x -H ldap://localhost -T /tmp/ldapsetpasswd
uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com*
Result: No such attribute (16)
Say what?
dn: uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com
structuralObjectClass: account
entryUUID: cd55cc80-f8a5-1037-976e-9da738d41e24
creatorsName: cn=admin,dc=qxxxxxxxxd,dc=com
createTimestamp: 20180530223739Z
pwdFailureTime: 20180530223741Z
pwdFailureTime: 20180530224243Z
pwdFailureTime: 20180530224244Z
pwdFailureTime: 20180530224306Z
pwdFailureTime: 20180530224307Z
pwdFailureTime: 20180530224354Z
pwdFailureTime: 20180530224538Z
pwdFailureTime: 20180530224541Z
entryCSN: 20180530224541.157285Z#000000#000#000000
modifiersName: cn=admin,dc=qxxxxxxxxd,dc=com
modifyTimestamp: 20180530224541Z
entryDN: uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
Maybe the user is locked out?
root@ldap0:~# *ldapmodify -Q -Y EXTERNAL -H ldapi:/// -D
cn=admin,dc=qxxxxxxxxd,dc=com*
dn: uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com
changetype: modify
delete: pwdFailureTime
modifying entry "uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com"
ldap_modify: Constraint violation (19)
additional info: pwdFailureTime: no user modification allowed
Q1: Any bright idea on removing the redundant ppolicy overlays?
Q2: Any bright idea on what's up with resetting zachary's password?
Thanks,
-danny
-- 
http://dannyman.toldme.com