Server Fault Asked by ipsi on December 22, 2021
This might be a bit odd, as I’ve had no success finding a solution thus far.
This is installed in CentOS 5.8, and using CentOS-Directory/8.2.8 B2012.041.1227.
Simply, I am using an application which will prompt the user to change their password (OpenAM). That works mostly fine, but if the DS is set up to store the password history, the client application is unable to change the password, constantly going “Password in history”. That’s not very useful, especially since I know that the password has not previously been used.
After sitting down with Wireshark, I saw that the client app was sending the following request:
dn: uid=AUser,ou=People,dc=testldap
changetype: modify
delete: userpassword
userpassword: location
-
add: userpassword
userpassword: american_psycho
Which keels over with “Password in history”. I tried that same request on the command line:
$ ldapmodify -h host -p 389 -D "uid=AUser,ou=People,dc=testldap" -w location
dn: uid=AUser,ou=People,dc=testldap
changetype: modify
delete: userpassword
userpassword: location
-
add: userpassword
userpassword: american_psycho
^D
Processing MODIFY request for uid=AUser,ou=People,dc=testldap
MODIFY operation failed
Result Code: 19 (Constraint Violation)
Additional Information: password in history
However, if I try the following:
$ ldapmodify -h host -p 389 -D "uid=AUser,ou=People,dc=testldap" -w location
dn: uid=AUser,ou=People,dc=testldap
changetype: modify
delete: userpassword
-
add: userpassword
userpassword: american_psycho
^D
Processing MODIFY request for uid=AUser,ou=People,dc=testldap
MODIFY operation successful for uid=AUser,ou=People,dc=testldap
Then that obviously works, the only difference being that I’m not passing in the old password this time. I understand why you would want to pass in a value to delete (e.g. if it’s a multi-valued attribute), but I don’t understand why the DS is checking it against the password history…
I’ve checked the log files, and even with all the logging turned on I don’t see anything useful…
There’s no way to configure the client application to not send through the old password without forking it ourselves, so I’m really hoping that there’s some way to configure the CentOS Directory Server to handle this. I know that this is supported by Active Directory (or was at some point): http://msdn.microsoft.com/en-us/library/cc223249.aspx But I can’t find out how to have this be supported in CentOS DS.
slapcat -H ldpap://host:389/uid=AUser,ou=People,dc=testldap -l export.ldif
This command does export Directory Entry (or whole database) to LDIF Format.
If something is wrong with the database you can fix it and import the LDIF File.
Answered by rhasti on December 22, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP