Hello,
I'm running openldap with password policy overlay. after the overlay installation and configuration, we cannot change the passwords anymore.
Michael Ströder told that an LDAP modify request should resolve this issue, but it didn't help.
[root@ldapsrv ~]# ldappasswd -e ppolicy -D cn=username,dc=domain,dc=tld -S -W New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password policy only allows one password value control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAA= ppolicy:
This is the log:
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 ACCEPT from IP=192.168.41.41:48899 (IP=0.0.0.0:636) Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 TLS established tls_ssf=256 ssf=256 Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 BIND dn="cn= username,dc=domain,dc=tld" method=128 Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 BIND dn="cn= username,dc=domain,dc=tld" mech=SIMPLE ssf=0 Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 RESULT tag=97 err=0 text= Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 PASSMOD new Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 RESULT oid= err=19 text=Password policy only allows one password value Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=2 UNBIND Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 closed
this is my default password policy:
dn: cn=password-policy,dc=policies,dc=domain,dc=tld
objectClass: person
objectClass: pwdPolicy
objectClass: top
cn: password-policy
pwdAttribute: userPassword
sn: Default Password Policy
pwdAllowUserChange: TRUE
pwdExpireWarning: 604800
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 7200
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 180
pwdMinLength: 8
pwdMustChange: TRUE
this is my password policy configuration:
dn: olcOverlay=ppolicy,dc=policies,dc=domain,dc=tld
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
objectClass: top
olcOverlay: ppolicy
olcPPolicyDefault: cn=password-policy,dc=policies,dc=domain,dc=tld
olcPPolicyUseLockout: TRUE
Thanks in advance for any reply,
Marco
On Thursday, 22 December 2011 12:26:38 Marco Weber wrote:
Hello,
I'm running openldap with password policy overlay. after the overlay installation and configuration, we cannot change the passwords anymore.
Michael Ströder told that an LDAP modify request should resolve this issue, but it didn't help.
[root@ldapsrv ~]# ldappasswd -e ppolicy -D cn=username,dc=domain,dc=tld -S -W New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password policy only allows one password value control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAA= ppolicy:
The error message, and the code that issues that error message, seems to indicate that pppolicy doesn't allow multiple values for the userPassword attribute to exist in an existing entry when the password is changed.
You may want to check how many values are present for userPassword on cn=username,dc=domain,dc=tld, and if there are multiple values, remove all or all but one.
Regards, Buchan
If that's true, would there be anyway to change the error text? Perhaps "Password policy overlay only allows one password value in dn - more than one found". If there's a clear reason for an error, I think the added text would be valuable to an administrator.
- chris
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Cc: Marco Weber marco.weber@mpulse.eu Sent: Fri Dec 23 00:47:34 2011 Subject: Re: password-policy configuration problems: cannot change passwords
On Thursday, 22 December 2011 12:26:38 Marco Weber wrote:
Hello,
I'm running openldap with password policy overlay. after the overlay installation and configuration, we cannot change the passwords anymore.
Michael Ströder told that an LDAP modify request should resolve this issue, but it didn't help.
[root@ldapsrv ~]# ldappasswd -e ppolicy -D cn=username,dc=domain,dc=tld -S -W New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password policy only allows one password value control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAA= ppolicy:
The error message, and the code that issues that error message, seems to indicate that pppolicy doesn't allow multiple values for the userPassword attribute to exist in an existing entry when the password is changed.
You may want to check how many values are present for userPassword on cn=username,dc=domain,dc=tld, and if there are multiple values, remove all or all but one.
Regards, Buchan
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
On Friday, 23 December 2011 09:59:00 Chris Jacobs wrote:
If that's true, would there be anyway to change the error text? Perhaps "Password policy overlay only allows one password value in dn - more than one found". If there's a clear reason for an error, I think the added text would be valuable to an administrator.
Sure:
$ grep -r 'Password policy only allows one password value' openldap-2.4.28 openldap-2.4.28/servers/slapd/overlays/ppolicy.c: send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION, "Password policy only allows one password value" ); openldap-2.4.28/servers/slapd/overlays/ppolicy.c: rs->sr_text = "Password policy only allows one password value";
Note that there are two cases that have the same error text: 1)Multiple values for userPassword exist in the entry in the directory 2)An add is being performed with two values for userPassword in the entry being added
However, for English speakers who are marginally familiar with OpenLDAP, surely the existing error message is enough to point the user to look at: -the LDIF they are adding -the entry they are modifying ?
Maybe the issue is that error messages need to be internationalised and localised (but, how do you determine the locale to use when providing error messages over the wire?).
Regards, Buchan
Hi,
Thank you for your reply. I looked in the openLDAP directory using apache directory studio. ...and there is just one userPassword entry per Node/User.
Are there maybe 2 temporal passwords, when executing the ldapppasswd coammand? There are no errors when executing an ldap modifiy request...
Best regards, Marco Weber
________________________________________ Von: Buchan Milne [bgmilne@staff.telkomsa.net] Gesendet: Freitag, 23. Dezember 2011 10:27 Bis: Chris Jacobs Cc: 'openldap-technical@openldap.org'; Marco Weber Betreff: Re: password-policy configuration problems: cannot change passwords
On Friday, 23 December 2011 09:59:00 Chris Jacobs wrote:
If that's true, would there be anyway to change the error text? Perhaps "Password policy overlay only allows one password value in dn - more than one found". If there's a clear reason for an error, I think the added text would be valuable to an administrator.
Sure:
$ grep -r 'Password policy only allows one password value' openldap-2.4.28 openldap-2.4.28/servers/slapd/overlays/ppolicy.c: send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION, "Password policy only allows one password value" ); openldap-2.4.28/servers/slapd/overlays/ppolicy.c: rs->sr_text = "Password policy only allows one password value";
Note that there are two cases that have the same error text: 1)Multiple values for userPassword exist in the entry in the directory 2)An add is being performed with two values for userPassword in the entry being added
However, for English speakers who are marginally familiar with OpenLDAP, surely the existing error message is enough to point the user to look at: -the LDIF they are adding -the entry they are modifying ?
Maybe the issue is that error messages need to be internationalised and localised (but, how do you determine the locale to use when providing error messages over the wire?).
Regards, Buchan
Marco Weber wrote:
Thank you for your reply. I looked in the openLDAP directory using apache directory studio. ...and there is just one userPassword entry per Node/User.
Are there maybe 2 temporal passwords, when executing the ldapppasswd coammand? There are no errors when executing an ldap modifiy request...
Personally I consider this a bug in OpenLDAP's slapo-ppolicy when processing the LDAP Modify Password ext.op.
Ciao, Michael.
openldap-technical@openldap.org
-
Buchan Milne -
Chris Jacobs -
Marco Weber -
Michael Ströder