password-policy configuration problems: cannot change passwords

Thu, 22 Dec 2011 02:28:27 -0800 

Hello,

I'm running openldap with password policy overlay. after the overlay 
installation and configuration, we cannot change the passwords anymore.

Michael Ströder told that an LDAP modify request should resolve this issue, but 
it didn't help.


[root@ldapsrv ~]# ldappasswd -e ppolicy -D cn=username,dc=domain,dc=tld -S -W
New password:
Re-enter new password:
Enter LDAP Password:
Result: Constraint violation (19)
Additional info: Password policy only allows one password value
control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAA=
ppolicy:


This is the log:

Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 ACCEPT from 
IP=192.168.41.41:48899 (IP=0.0.0.0:636)
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 TLS established 
tls_ssf=256 ssf=256
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 BIND dn="cn= 
username,dc=domain,dc=tld" method=128
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 BIND dn="cn= 
username,dc=domain,dc=tld" mech=SIMPLE ssf=0
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 RESULT tag=97 err=0 text=
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 EXT 
oid=1.3.6.1.4.1.4203.1.11.1
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 PASSMOD new
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 RESULT oid= err=19 
text=Password policy only allows one password value
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=2 UNBIND
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 closed



this is my default password policy:

dn: cn=password-policy,dc=policies,dc=domain,dc=tld

objectClass: person

objectClass: pwdPolicy

objectClass: top

cn: password-policy

pwdAttribute: userPassword

sn: Default Password Policy

pwdAllowUserChange: TRUE

pwdExpireWarning: 604800

pwdInHistory: 3

pwdLockout: TRUE

pwdLockoutDuration: 7200

pwdMaxAge: 7776000

pwdMaxFailure: 5

pwdMinAge: 180

pwdMinLength: 8

pwdMustChange: TRUE



this is my password policy configuration:

dn: olcOverlay=ppolicy,dc=policies,dc=domain,dc=tld

objectClass: olcConfig

objectClass: olcOverlayConfig

objectClass: olcPPolicyConfig

objectClass: top

olcOverlay: ppolicy

olcPPolicyDefault: cn=password-policy,dc=policies,dc=domain,dc=tld

olcPPolicyUseLockout: TRUE



Thanks in advance for any reply,

            Marco

Reply via email to