Ryfujk

Where does the bonus feat in the cleric starting package come from?

Melting point of aspirin, contradicting sources

Is it better practice to read straight from sheet music rather than memorize it?

On a tidally locked planet, would time be quantized?

WiFi Thermostat, No C Terminal on Furnace

Is the U.S. Code copyrighted by the Government?

How much character growth crosses the line into breaking the character

Is there a name for this algorithm to calculate the concentration of a mixture of two solutions containing the same solute?

250 Floor Tower

How to explain what's wrong with this application of the chain rule?

Electoral considerations aside, what are potential benefits, for the US, of policy changes proposed by the tweet recognizing Golan annexation?

Store Credit Card Information in Password Manager?

A social experiment. What is the worst that can happen?

How do I color the graph in datavisualization?

Is this toilet slogan correct usage of the English language?

Biological Blimps: Propulsion

What does chmod -u do?

Which one is correct as adjective “protruding” or “protruded”?

Why electric field inside a cavity of a non-conducting sphere not zero?

Why should universal income be universal?

Why does the Sun have different day lengths, but not the gas giants?

The screen of my macbook suddenly broken down how can I do to recover

The IT department bottlenecks progress. How should I handle this?

Is it possible to have a strip of cold climate in the middle of a planet?

CentOS Directory Server - Changing Password via LDAP Modify, passing in old password

Should ldap client use different credentials than end user to do end user authentication?Linux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyLDAP URL example: is it possible / correct to use only the domain without the hostname?How to add ACIs to OpenLDAP properly389 directory server - password not recognizedHow to change an attribute value for all entries of ldap directory using ldapmodify command?389DS Access.log parsing - turning LDAP request type into an audit eventEnabling synchronization in consumer and provider ldapOpenLDAP slapo-unique fails with UID(Open) LDAP authentication - superuser not available on client

3

This might be a bit odd, as I've had no success finding a solution thus far.

This is installed in CentOS 5.8, and using CentOS-Directory/8.2.8 B2012.041.1227.

Simply, I am using an application which will prompt the user to change their password (OpenAM). That works mostly fine, but if the DS is set up to store the password history, the client application is unable to change the password, constantly going "Password in history". That's not very useful, especially since I know that the password has not previously been used.

After sitting down with Wireshark, I saw that the client app was sending the following request:

dn: uid=AUser,ou=People,dc=testldap

changetype: modify

delete: userpassword

userpassword: location

-

add: userpassword

userpassword: american_psycho

Which keels over with "Password in history". I tried that same request on the command line:

$ ldapmodify -h host -p 389 -D "uid=AUser,ou=People,dc=testldap" -w location

dn: uid=AUser,ou=People,dc=testldap

changetype: modify

delete: userpassword

userpassword: location

-

add: userpassword

userpassword: american_psycho

^D

Processing MODIFY request for uid=AUser,ou=People,dc=testldap

MODIFY operation failed

Result Code:  19 (Constraint Violation)

Additional Information:  password in history

However, if I try the following:

$ ldapmodify -h host -p 389 -D "uid=AUser,ou=People,dc=testldap" -w location

dn: uid=AUser,ou=People,dc=testldap

changetype: modify

delete: userpassword 

-

add: userpassword

userpassword: american_psycho

^D

Processing MODIFY request for uid=AUser,ou=People,dc=testldap

MODIFY operation successful for uid=AUser,ou=People,dc=testldap

Then that obviously works, the only difference being that I'm not passing in the old password this time. I understand why you would want to pass in a value to delete (e.g. if it's a multi-valued attribute), but I don't understand why the DS is checking it against the password history...

I've checked the log files, and even with all the logging turned on I don't see anything useful...

There's no way to configure the client application to not send through the old password without forking it ourselves, so I'm really hoping that there's some way to configure the CentOS Directory Server to handle this. I know that this is supported by Active Directory (or was at some point): http://msdn.microsoft.com/en-us/library/cc223249.aspx But I can't find out how to have this be supported in CentOS DS.

centos ldap

share|improve this question

edited Dec 21 '12 at 6:05

ipsi

asked Dec 21 '12 at 4:23

ipsiipsi

1164

bumped to the homepage by Community♦ 3 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

3

This might be a bit odd, as I've had no success finding a solution thus far.

This is installed in CentOS 5.8, and using CentOS-Directory/8.2.8 B2012.041.1227.

Simply, I am using an application which will prompt the user to change their password (OpenAM). That works mostly fine, but if the DS is set up to store the password history, the client application is unable to change the password, constantly going "Password in history". That's not very useful, especially since I know that the password has not previously been used.

After sitting down with Wireshark, I saw that the client app was sending the following request:

dn: uid=AUser,ou=People,dc=testldap

changetype: modify

delete: userpassword

userpassword: location

-

add: userpassword

userpassword: american_psycho

Which keels over with "Password in history". I tried that same request on the command line:

$ ldapmodify -h host -p 389 -D "uid=AUser,ou=People,dc=testldap" -w location

dn: uid=AUser,ou=People,dc=testldap

changetype: modify

delete: userpassword

userpassword: location

-

add: userpassword

userpassword: american_psycho

^D

Processing MODIFY request for uid=AUser,ou=People,dc=testldap

MODIFY operation failed

Result Code:  19 (Constraint Violation)

Additional Information:  password in history

However, if I try the following:

$ ldapmodify -h host -p 389 -D "uid=AUser,ou=People,dc=testldap" -w location

dn: uid=AUser,ou=People,dc=testldap

changetype: modify

delete: userpassword 

-

add: userpassword

userpassword: american_psycho

^D

Processing MODIFY request for uid=AUser,ou=People,dc=testldap

MODIFY operation successful for uid=AUser,ou=People,dc=testldap

Then that obviously works, the only difference being that I'm not passing in the old password this time. I understand why you would want to pass in a value to delete (e.g. if it's a multi-valued attribute), but I don't understand why the DS is checking it against the password history...

I've checked the log files, and even with all the logging turned on I don't see anything useful...

There's no way to configure the client application to not send through the old password without forking it ourselves, so I'm really hoping that there's some way to configure the CentOS Directory Server to handle this. I know that this is supported by Active Directory (or was at some point): http://msdn.microsoft.com/en-us/library/cc223249.aspx But I can't find out how to have this be supported in CentOS DS.

centos ldap

share|improve this question

edited Dec 21 '12 at 6:05

ipsi

asked Dec 21 '12 at 4:23

ipsiipsi

1164

bumped to the homepage by Community♦ 3 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

This might be a bit odd, as I've had no success finding a solution thus far.

This is installed in CentOS 5.8, and using CentOS-Directory/8.2.8 B2012.041.1227.

Simply, I am using an application which will prompt the user to change their password (OpenAM). That works mostly fine, but if the DS is set up to store the password history, the client application is unable to change the password, constantly going "Password in history". That's not very useful, especially since I know that the password has not previously been used.

After sitting down with Wireshark, I saw that the client app was sending the following request:

dn: uid=AUser,ou=People,dc=testldap

changetype: modify

delete: userpassword

userpassword: location

-

add: userpassword

userpassword: american_psycho

Which keels over with "Password in history". I tried that same request on the command line:

$ ldapmodify -h host -p 389 -D "uid=AUser,ou=People,dc=testldap" -w location

dn: uid=AUser,ou=People,dc=testldap

changetype: modify

delete: userpassword

userpassword: location

-

add: userpassword

userpassword: american_psycho

^D

Processing MODIFY request for uid=AUser,ou=People,dc=testldap

MODIFY operation failed

Result Code:  19 (Constraint Violation)

Additional Information:  password in history

However, if I try the following:

$ ldapmodify -h host -p 389 -D "uid=AUser,ou=People,dc=testldap" -w location

dn: uid=AUser,ou=People,dc=testldap

changetype: modify

delete: userpassword 

-

add: userpassword

userpassword: american_psycho

^D

Processing MODIFY request for uid=AUser,ou=People,dc=testldap

MODIFY operation successful for uid=AUser,ou=People,dc=testldap

Then that obviously works, the only difference being that I'm not passing in the old password this time. I understand why you would want to pass in a value to delete (e.g. if it's a multi-valued attribute), but I don't understand why the DS is checking it against the password history...

I've checked the log files, and even with all the logging turned on I don't see anything useful...

There's no way to configure the client application to not send through the old password without forking it ourselves, so I'm really hoping that there's some way to configure the CentOS Directory Server to handle this. I know that this is supported by Active Directory (or was at some point): http://msdn.microsoft.com/en-us/library/cc223249.aspx But I can't find out how to have this be supported in CentOS DS.

centos ldap

share|improve this question

edited Dec 21 '12 at 6:05

ipsi

asked Dec 21 '12 at 4:23

ipsiipsi

1164

dn: uid=AUser,ou=People,dc=testldap

changetype: modify

delete: userpassword

userpassword: location

-

add: userpassword

userpassword: american_psycho

$ ldapmodify -h host -p 389 -D "uid=AUser,ou=People,dc=testldap" -w location

dn: uid=AUser,ou=People,dc=testldap

changetype: modify

delete: userpassword

userpassword: location

-

add: userpassword

userpassword: american_psycho

^D

Processing MODIFY request for uid=AUser,ou=People,dc=testldap

MODIFY operation failed

Result Code:  19 (Constraint Violation)

Additional Information:  password in history

$ ldapmodify -h host -p 389 -D "uid=AUser,ou=People,dc=testldap" -w location

dn: uid=AUser,ou=People,dc=testldap

changetype: modify

delete: userpassword 

-

add: userpassword

userpassword: american_psycho

^D

Processing MODIFY request for uid=AUser,ou=People,dc=testldap

MODIFY operation successful for uid=AUser,ou=People,dc=testldap

share|improve this question

edited Dec 21 '12 at 6:05

ipsi

asked Dec 21 '12 at 4:23

ipsiipsi

1164

share|improve this question

edited Dec 21 '12 at 6:05

ipsi

asked Dec 21 '12 at 4:23

ipsiipsi

1164

asked Dec 21 '12 at 4:23

ipsiipsi

1164

asked Dec 21 '12 at 4:23

ipsiipsi

1164

1 Answer
1

active

oldest

votes

0

slapcat -H ldpap://host:389/uid=AUser,ou=People,dc=testldap -l export.ldif

This command does export Directory Entry (or whole database) to LDIF Format.

If something is wrong with the database you can fix it and import the LDIF File.

share|improve this answer

answered Dec 22 '12 at 23:57

rhastirhasti

47739

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f459906%2fcentos-directory-server-changing-password-via-ldap-modify-passing-in-old-pass%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

slapcat -H ldpap://host:389/uid=AUser,ou=People,dc=testldap -l export.ldif

This command does export Directory Entry (or whole database) to LDIF Format.

If something is wrong with the database you can fix it and import the LDIF File.

share|improve this answer

answered Dec 22 '12 at 23:57

rhastirhasti

47739

add a comment | 

0

slapcat -H ldpap://host:389/uid=AUser,ou=People,dc=testldap -l export.ldif

This command does export Directory Entry (or whole database) to LDIF Format.

If something is wrong with the database you can fix it and import the LDIF File.

share|improve this answer

answered Dec 22 '12 at 23:57

rhastirhasti

47739

add a comment | 

slapcat -H ldpap://host:389/uid=AUser,ou=People,dc=testldap -l export.ldif

This command does export Directory Entry (or whole database) to LDIF Format.

If something is wrong with the database you can fix it and import the LDIF File.

share|improve this answer

answered Dec 22 '12 at 23:57

rhastirhasti

47739

slapcat -H ldpap://host:389/uid=AUser,ou=People,dc=testldap -l export.ldif

share|improve this answer

answered Dec 22 '12 at 23:57

rhastirhasti

47739

answered Dec 22 '12 at 23:57

rhastirhasti

47739

answered Dec 22 '12 at 23:57

rhastirhasti

47739