LDAP (with ppolicy) errors on changing other user's passwordLDAP (slapd) authenticated user cannot modify...

my breadboard simulation doesn't work properly

What are all the squawk codes?

Manipulate scientific format without the "e"

How do ISS astronauts "get their stripes"?

How to reorder street address on checkout page in magento 2?

Six real numbers so that product of any five is the sixth one

What is the difference between ashamed and shamed?

I can't die. Who am I?

Canadian citizen, on US no-fly list. What can I do in order to be allowed on flights which go through US airspace?

Why is s'abonner reflexive?

How do you say "powers of ten"?

What's the difference between a cart and a wagon?

Use comma instead of & in table

Did 5.25" floppies undergo a change in magnetic coating?

A right or the right?

What is a term for a function that when called repeatedly, has the same effect as calling once?

Is there a German word for “analytics”?

How can I be pwned if I'm not registered on that site?

Is there a frame of reference in which I was born before I was conceived?

Giving a talk in my old university, how prominently should I tell students my salary?

When should a commit not be version tagged?

Pure Functions: Does "No Side Effects" Imply "Always Same Output, Given Same Input"?

Sometimes a banana is just a banana

Called into a meeting and told we are being made redundant (laid off) and "not to share outside". Can I tell my partner?



LDAP (with ppolicy) errors on changing other user's password


LDAP (slapd) authenticated user cannot modify selfConfiguring openldap multimaster replication using cn=configHow to add ACIs to OpenLDAP properlyldap change schema and config passwordError “no equality matching rule” when editing LDAP Syncprov OverlayCustom schema for OpenLDAP 2.4ldap_modify: Insufficient access (50) when changing passwordOpenLDAP - ldappasswd failing with “invalid parameter supplied: unable to find callback”Openldap problems with adding attributeSet already hashed password for user against open ldap













3















I've set up an LDAP server with the ppolicy overlay, but now am having trouble resetting user's password in some cases: if the user has a failed login, then the pwdFailureTime attribute exists and ldapmodify fails complaining that it doesn't.



If my most recent log-in attempt was successful, then I can bind as cn=admin and run the ldif file:



dn: uid=anton,ou=accounts,dc=[redacted],dc=ca
changetype: modify
replace: userPassword
userPassword: foobar
-
replace: pwdReset
pwdReset: TRUE


which succeeds. However, if the last log-in attempt was with a wrong password, ppolicy adds a pwdFailureTime attribute to the account, and then trying to run the ldif file above results in:



$ ldapmodify -x -D "cn=admin,dc=[redacted],dc=ca" -W -H ldap:// -f pwreset.ldif
Enter LDAP Password:
modifying entry "uid=anton,ou=accounts,dc=[redacted],dc=ca"
ldap_modify: No such attribute (16)
additional info: modify/delete: pwdFailureTime: no such attribute


If I try deleting the pwdFailureTime attribute before resetting the password, then I get:



ldap_modify: Constraint violation (19)
additional info: pwdFailureTime: no user modification allowed


In real life, if a user's forgotten their password and needs it reset, they will generally have tried to recall the password several times, so will have the pwdFailureTime attribute set. Any suggestions?










share|improve this question














bumped to the homepage by Community 37 secs ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.




















    3















    I've set up an LDAP server with the ppolicy overlay, but now am having trouble resetting user's password in some cases: if the user has a failed login, then the pwdFailureTime attribute exists and ldapmodify fails complaining that it doesn't.



    If my most recent log-in attempt was successful, then I can bind as cn=admin and run the ldif file:



    dn: uid=anton,ou=accounts,dc=[redacted],dc=ca
    changetype: modify
    replace: userPassword
    userPassword: foobar
    -
    replace: pwdReset
    pwdReset: TRUE


    which succeeds. However, if the last log-in attempt was with a wrong password, ppolicy adds a pwdFailureTime attribute to the account, and then trying to run the ldif file above results in:



    $ ldapmodify -x -D "cn=admin,dc=[redacted],dc=ca" -W -H ldap:// -f pwreset.ldif
    Enter LDAP Password:
    modifying entry "uid=anton,ou=accounts,dc=[redacted],dc=ca"
    ldap_modify: No such attribute (16)
    additional info: modify/delete: pwdFailureTime: no such attribute


    If I try deleting the pwdFailureTime attribute before resetting the password, then I get:



    ldap_modify: Constraint violation (19)
    additional info: pwdFailureTime: no user modification allowed


    In real life, if a user's forgotten their password and needs it reset, they will generally have tried to recall the password several times, so will have the pwdFailureTime attribute set. Any suggestions?










    share|improve this question














    bumped to the homepage by Community 37 secs ago


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.


















      3












      3








      3








      I've set up an LDAP server with the ppolicy overlay, but now am having trouble resetting user's password in some cases: if the user has a failed login, then the pwdFailureTime attribute exists and ldapmodify fails complaining that it doesn't.



      If my most recent log-in attempt was successful, then I can bind as cn=admin and run the ldif file:



      dn: uid=anton,ou=accounts,dc=[redacted],dc=ca
      changetype: modify
      replace: userPassword
      userPassword: foobar
      -
      replace: pwdReset
      pwdReset: TRUE


      which succeeds. However, if the last log-in attempt was with a wrong password, ppolicy adds a pwdFailureTime attribute to the account, and then trying to run the ldif file above results in:



      $ ldapmodify -x -D "cn=admin,dc=[redacted],dc=ca" -W -H ldap:// -f pwreset.ldif
      Enter LDAP Password:
      modifying entry "uid=anton,ou=accounts,dc=[redacted],dc=ca"
      ldap_modify: No such attribute (16)
      additional info: modify/delete: pwdFailureTime: no such attribute


      If I try deleting the pwdFailureTime attribute before resetting the password, then I get:



      ldap_modify: Constraint violation (19)
      additional info: pwdFailureTime: no user modification allowed


      In real life, if a user's forgotten their password and needs it reset, they will generally have tried to recall the password several times, so will have the pwdFailureTime attribute set. Any suggestions?










      share|improve this question














      I've set up an LDAP server with the ppolicy overlay, but now am having trouble resetting user's password in some cases: if the user has a failed login, then the pwdFailureTime attribute exists and ldapmodify fails complaining that it doesn't.



      If my most recent log-in attempt was successful, then I can bind as cn=admin and run the ldif file:



      dn: uid=anton,ou=accounts,dc=[redacted],dc=ca
      changetype: modify
      replace: userPassword
      userPassword: foobar
      -
      replace: pwdReset
      pwdReset: TRUE


      which succeeds. However, if the last log-in attempt was with a wrong password, ppolicy adds a pwdFailureTime attribute to the account, and then trying to run the ldif file above results in:



      $ ldapmodify -x -D "cn=admin,dc=[redacted],dc=ca" -W -H ldap:// -f pwreset.ldif
      Enter LDAP Password:
      modifying entry "uid=anton,ou=accounts,dc=[redacted],dc=ca"
      ldap_modify: No such attribute (16)
      additional info: modify/delete: pwdFailureTime: no such attribute


      If I try deleting the pwdFailureTime attribute before resetting the password, then I get:



      ldap_modify: Constraint violation (19)
      additional info: pwdFailureTime: no user modification allowed


      In real life, if a user's forgotten their password and needs it reset, they will generally have tried to recall the password several times, so will have the pwdFailureTime attribute set. Any suggestions?







      ldap openldap






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jun 9 '17 at 15:13









      AntonAnton

      162




      162





      bumped to the homepage by Community 37 secs ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community 37 secs ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
























          1 Answer
          1






          active

          oldest

          votes


















          0














          As for the IETF draft states :




          8.2.7. Policy State Updates



          If the steps have completed without causing an error condition, the
          server performs the following steps in order to update the necessary
          password policy state attributes:



          If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
          updates the pwdChangedTime attribute on the entry to the current time.



          If the value of pwdInHistory is non-zero, the server adds the previous
          password (if one existed) to the pwdHistory attribute. If the number
          of attributes held in the pwdHistory attribute exceeds the value of
          pwdInHistory, the server removes the oldest excess passwords.



          If the value the pwdMustChange is TRUE and the modification is
          performed by a password administrator, then the pwdReset attribute is
          set to TRUE. Otherwise, the pwdReset is removed from the user's entry
          if it exists.



          The pwdFailureTime and pwdGraceUseTime attributes is removed from the
          user's entry if they exist.




          If I'm not mistaken, LDIF is atomic operations, so when the userPassword is modified, it chains to removing the pwdFailureTime attribute, hence why when the modification of pwdReset which seems to trigger also the removing of pwdFailureTime fails.



          Why do you need to set the pwdReset to TRUE ? You already reset it. If it is to ensure that the user must "reset" himself the password at the first connection :



          may be try instead to modify the pwsMustChange attribute to TRUE, which should set the pwdReset attribute to TRUE(according to the IETF on which is based the OpenLDAP ppolicy)



          or may be just switch the two modifications on the LDIF could do the trick.






          share|improve this answer
























          • Sorry, didn't get back to this until now. I've left pwdMustChange as FALSE, because mostly my users will be interacting through a web page, which I've put together using PHP, which only has an ldap_modify, which someone with pwdReset=TRUE wouldn't have permission to use... Removing the lines resetting pwdReset doesn't change the error, and I get the same error using phpLdapAdmin, or using ldappasswd at the command line.

            – Anton
            Jun 22 '17 at 21:18













          • Ah, however, if I switch the two modifications in the LDIF, then it appears to work. I did hit some other issues, which all seem to centre around the problem that if any policies in ppolicy are triggered, these create internal attributes, and then password changes fail because those attributes don't exist (but only where they actually do). So I guess the workaround for now is to basically not use any of the policies.

            – Anton
            Jun 22 '17 at 22:32











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "2"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f854890%2fldap-with-ppolicy-errors-on-changing-other-users-password%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          As for the IETF draft states :




          8.2.7. Policy State Updates



          If the steps have completed without causing an error condition, the
          server performs the following steps in order to update the necessary
          password policy state attributes:



          If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
          updates the pwdChangedTime attribute on the entry to the current time.



          If the value of pwdInHistory is non-zero, the server adds the previous
          password (if one existed) to the pwdHistory attribute. If the number
          of attributes held in the pwdHistory attribute exceeds the value of
          pwdInHistory, the server removes the oldest excess passwords.



          If the value the pwdMustChange is TRUE and the modification is
          performed by a password administrator, then the pwdReset attribute is
          set to TRUE. Otherwise, the pwdReset is removed from the user's entry
          if it exists.



          The pwdFailureTime and pwdGraceUseTime attributes is removed from the
          user's entry if they exist.




          If I'm not mistaken, LDIF is atomic operations, so when the userPassword is modified, it chains to removing the pwdFailureTime attribute, hence why when the modification of pwdReset which seems to trigger also the removing of pwdFailureTime fails.



          Why do you need to set the pwdReset to TRUE ? You already reset it. If it is to ensure that the user must "reset" himself the password at the first connection :



          may be try instead to modify the pwsMustChange attribute to TRUE, which should set the pwdReset attribute to TRUE(according to the IETF on which is based the OpenLDAP ppolicy)



          or may be just switch the two modifications on the LDIF could do the trick.






          share|improve this answer
























          • Sorry, didn't get back to this until now. I've left pwdMustChange as FALSE, because mostly my users will be interacting through a web page, which I've put together using PHP, which only has an ldap_modify, which someone with pwdReset=TRUE wouldn't have permission to use... Removing the lines resetting pwdReset doesn't change the error, and I get the same error using phpLdapAdmin, or using ldappasswd at the command line.

            – Anton
            Jun 22 '17 at 21:18













          • Ah, however, if I switch the two modifications in the LDIF, then it appears to work. I did hit some other issues, which all seem to centre around the problem that if any policies in ppolicy are triggered, these create internal attributes, and then password changes fail because those attributes don't exist (but only where they actually do). So I guess the workaround for now is to basically not use any of the policies.

            – Anton
            Jun 22 '17 at 22:32
















          0














          As for the IETF draft states :




          8.2.7. Policy State Updates



          If the steps have completed without causing an error condition, the
          server performs the following steps in order to update the necessary
          password policy state attributes:



          If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
          updates the pwdChangedTime attribute on the entry to the current time.



          If the value of pwdInHistory is non-zero, the server adds the previous
          password (if one existed) to the pwdHistory attribute. If the number
          of attributes held in the pwdHistory attribute exceeds the value of
          pwdInHistory, the server removes the oldest excess passwords.



          If the value the pwdMustChange is TRUE and the modification is
          performed by a password administrator, then the pwdReset attribute is
          set to TRUE. Otherwise, the pwdReset is removed from the user's entry
          if it exists.



          The pwdFailureTime and pwdGraceUseTime attributes is removed from the
          user's entry if they exist.




          If I'm not mistaken, LDIF is atomic operations, so when the userPassword is modified, it chains to removing the pwdFailureTime attribute, hence why when the modification of pwdReset which seems to trigger also the removing of pwdFailureTime fails.



          Why do you need to set the pwdReset to TRUE ? You already reset it. If it is to ensure that the user must "reset" himself the password at the first connection :



          may be try instead to modify the pwsMustChange attribute to TRUE, which should set the pwdReset attribute to TRUE(according to the IETF on which is based the OpenLDAP ppolicy)



          or may be just switch the two modifications on the LDIF could do the trick.






          share|improve this answer
























          • Sorry, didn't get back to this until now. I've left pwdMustChange as FALSE, because mostly my users will be interacting through a web page, which I've put together using PHP, which only has an ldap_modify, which someone with pwdReset=TRUE wouldn't have permission to use... Removing the lines resetting pwdReset doesn't change the error, and I get the same error using phpLdapAdmin, or using ldappasswd at the command line.

            – Anton
            Jun 22 '17 at 21:18













          • Ah, however, if I switch the two modifications in the LDIF, then it appears to work. I did hit some other issues, which all seem to centre around the problem that if any policies in ppolicy are triggered, these create internal attributes, and then password changes fail because those attributes don't exist (but only where they actually do). So I guess the workaround for now is to basically not use any of the policies.

            – Anton
            Jun 22 '17 at 22:32














          0












          0








          0







          As for the IETF draft states :




          8.2.7. Policy State Updates



          If the steps have completed without causing an error condition, the
          server performs the following steps in order to update the necessary
          password policy state attributes:



          If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
          updates the pwdChangedTime attribute on the entry to the current time.



          If the value of pwdInHistory is non-zero, the server adds the previous
          password (if one existed) to the pwdHistory attribute. If the number
          of attributes held in the pwdHistory attribute exceeds the value of
          pwdInHistory, the server removes the oldest excess passwords.



          If the value the pwdMustChange is TRUE and the modification is
          performed by a password administrator, then the pwdReset attribute is
          set to TRUE. Otherwise, the pwdReset is removed from the user's entry
          if it exists.



          The pwdFailureTime and pwdGraceUseTime attributes is removed from the
          user's entry if they exist.




          If I'm not mistaken, LDIF is atomic operations, so when the userPassword is modified, it chains to removing the pwdFailureTime attribute, hence why when the modification of pwdReset which seems to trigger also the removing of pwdFailureTime fails.



          Why do you need to set the pwdReset to TRUE ? You already reset it. If it is to ensure that the user must "reset" himself the password at the first connection :



          may be try instead to modify the pwsMustChange attribute to TRUE, which should set the pwdReset attribute to TRUE(according to the IETF on which is based the OpenLDAP ppolicy)



          or may be just switch the two modifications on the LDIF could do the trick.






          share|improve this answer













          As for the IETF draft states :




          8.2.7. Policy State Updates



          If the steps have completed without causing an error condition, the
          server performs the following steps in order to update the necessary
          password policy state attributes:



          If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
          updates the pwdChangedTime attribute on the entry to the current time.



          If the value of pwdInHistory is non-zero, the server adds the previous
          password (if one existed) to the pwdHistory attribute. If the number
          of attributes held in the pwdHistory attribute exceeds the value of
          pwdInHistory, the server removes the oldest excess passwords.



          If the value the pwdMustChange is TRUE and the modification is
          performed by a password administrator, then the pwdReset attribute is
          set to TRUE. Otherwise, the pwdReset is removed from the user's entry
          if it exists.



          The pwdFailureTime and pwdGraceUseTime attributes is removed from the
          user's entry if they exist.




          If I'm not mistaken, LDIF is atomic operations, so when the userPassword is modified, it chains to removing the pwdFailureTime attribute, hence why when the modification of pwdReset which seems to trigger also the removing of pwdFailureTime fails.



          Why do you need to set the pwdReset to TRUE ? You already reset it. If it is to ensure that the user must "reset" himself the password at the first connection :



          may be try instead to modify the pwsMustChange attribute to TRUE, which should set the pwdReset attribute to TRUE(according to the IETF on which is based the OpenLDAP ppolicy)



          or may be just switch the two modifications on the LDIF could do the trick.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jun 14 '17 at 10:30









          EstebanEsteban

          23117




          23117













          • Sorry, didn't get back to this until now. I've left pwdMustChange as FALSE, because mostly my users will be interacting through a web page, which I've put together using PHP, which only has an ldap_modify, which someone with pwdReset=TRUE wouldn't have permission to use... Removing the lines resetting pwdReset doesn't change the error, and I get the same error using phpLdapAdmin, or using ldappasswd at the command line.

            – Anton
            Jun 22 '17 at 21:18













          • Ah, however, if I switch the two modifications in the LDIF, then it appears to work. I did hit some other issues, which all seem to centre around the problem that if any policies in ppolicy are triggered, these create internal attributes, and then password changes fail because those attributes don't exist (but only where they actually do). So I guess the workaround for now is to basically not use any of the policies.

            – Anton
            Jun 22 '17 at 22:32



















          • Sorry, didn't get back to this until now. I've left pwdMustChange as FALSE, because mostly my users will be interacting through a web page, which I've put together using PHP, which only has an ldap_modify, which someone with pwdReset=TRUE wouldn't have permission to use... Removing the lines resetting pwdReset doesn't change the error, and I get the same error using phpLdapAdmin, or using ldappasswd at the command line.

            – Anton
            Jun 22 '17 at 21:18













          • Ah, however, if I switch the two modifications in the LDIF, then it appears to work. I did hit some other issues, which all seem to centre around the problem that if any policies in ppolicy are triggered, these create internal attributes, and then password changes fail because those attributes don't exist (but only where they actually do). So I guess the workaround for now is to basically not use any of the policies.

            – Anton
            Jun 22 '17 at 22:32

















          Sorry, didn't get back to this until now. I've left pwdMustChange as FALSE, because mostly my users will be interacting through a web page, which I've put together using PHP, which only has an ldap_modify, which someone with pwdReset=TRUE wouldn't have permission to use... Removing the lines resetting pwdReset doesn't change the error, and I get the same error using phpLdapAdmin, or using ldappasswd at the command line.

          – Anton
          Jun 22 '17 at 21:18







          Sorry, didn't get back to this until now. I've left pwdMustChange as FALSE, because mostly my users will be interacting through a web page, which I've put together using PHP, which only has an ldap_modify, which someone with pwdReset=TRUE wouldn't have permission to use... Removing the lines resetting pwdReset doesn't change the error, and I get the same error using phpLdapAdmin, or using ldappasswd at the command line.

          – Anton
          Jun 22 '17 at 21:18















          Ah, however, if I switch the two modifications in the LDIF, then it appears to work. I did hit some other issues, which all seem to centre around the problem that if any policies in ppolicy are triggered, these create internal attributes, and then password changes fail because those attributes don't exist (but only where they actually do). So I guess the workaround for now is to basically not use any of the policies.

          – Anton
          Jun 22 '17 at 22:32





          Ah, however, if I switch the two modifications in the LDIF, then it appears to work. I did hit some other issues, which all seem to centre around the problem that if any policies in ppolicy are triggered, these create internal attributes, and then password changes fail because those attributes don't exist (but only where they actually do). So I guess the workaround for now is to basically not use any of the policies.

          – Anton
          Jun 22 '17 at 22:32


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f854890%2fldap-with-ppolicy-errors-on-changing-other-users-password%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Фонтен-ла-Гаярд Зміст Демографія | Економіка | Посилання |...

          Список ссавців Італії Природоохоронні статуси | Список |...

          Маріан Котлеба Зміст Життєпис | Політичні погляди |...