LDAP (with ppolicy) errors on changing other user's passwordLDAP (slapd) authenticated user cannot modify...
my breadboard simulation doesn't work properly
What are all the squawk codes?
Manipulate scientific format without the "e"
How do ISS astronauts "get their stripes"?
How to reorder street address on checkout page in magento 2?
Six real numbers so that product of any five is the sixth one
What is the difference between ashamed and shamed?
I can't die. Who am I?
Canadian citizen, on US no-fly list. What can I do in order to be allowed on flights which go through US airspace?
Why is s'abonner reflexive?
How do you say "powers of ten"?
What's the difference between a cart and a wagon?
Use comma instead of & in table
Did 5.25" floppies undergo a change in magnetic coating?
A right or the right?
What is a term for a function that when called repeatedly, has the same effect as calling once?
Is there a German word for “analytics”?
How can I be pwned if I'm not registered on that site?
Is there a frame of reference in which I was born before I was conceived?
Giving a talk in my old university, how prominently should I tell students my salary?
When should a commit not be version tagged?
Pure Functions: Does "No Side Effects" Imply "Always Same Output, Given Same Input"?
Sometimes a banana is just a banana
Called into a meeting and told we are being made redundant (laid off) and "not to share outside". Can I tell my partner?
LDAP (with ppolicy) errors on changing other user's password
LDAP (slapd) authenticated user cannot modify selfConfiguring openldap multimaster replication using cn=configHow to add ACIs to OpenLDAP properlyldap change schema and config passwordError “no equality matching rule” when editing LDAP Syncprov OverlayCustom schema for OpenLDAP 2.4ldap_modify: Insufficient access (50) when changing passwordOpenLDAP - ldappasswd failing with “invalid parameter supplied: unable to find callback”Openldap problems with adding attributeSet already hashed password for user against open ldap
I've set up an LDAP server with the ppolicy overlay, but now am having trouble resetting user's password in some cases: if the user has a failed login, then the pwdFailureTime attribute exists and ldapmodify fails complaining that it doesn't.
If my most recent log-in attempt was successful, then I can bind as cn=admin and run the ldif file:
dn: uid=anton,ou=accounts,dc=[redacted],dc=ca
changetype: modify
replace: userPassword
userPassword: foobar
-
replace: pwdReset
pwdReset: TRUE
which succeeds. However, if the last log-in attempt was with a wrong password, ppolicy adds a pwdFailureTime attribute to the account, and then trying to run the ldif file above results in:
$ ldapmodify -x -D "cn=admin,dc=[redacted],dc=ca" -W -H ldap:// -f pwreset.ldif
Enter LDAP Password:
modifying entry "uid=anton,ou=accounts,dc=[redacted],dc=ca"
ldap_modify: No such attribute (16)
additional info: modify/delete: pwdFailureTime: no such attribute
If I try deleting the pwdFailureTime attribute before resetting the password, then I get:
ldap_modify: Constraint violation (19)
additional info: pwdFailureTime: no user modification allowed
In real life, if a user's forgotten their password and needs it reset, they will generally have tried to recall the password several times, so will have the pwdFailureTime attribute set. Any suggestions?
ldap openldap
asked Jun 9 '17 at 15:13
AntonAnton
162
bumped to the homepage by Community♦ 37 secs ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I've set up an LDAP server with the ppolicy overlay, but now am having trouble resetting user's password in some cases: if the user has a failed login, then the pwdFailureTime attribute exists and ldapmodify fails complaining that it doesn't.
If my most recent log-in attempt was successful, then I can bind as cn=admin and run the ldif file:
dn: uid=anton,ou=accounts,dc=[redacted],dc=ca
changetype: modify
replace: userPassword
userPassword: foobar
-
replace: pwdReset
pwdReset: TRUE
which succeeds. However, if the last log-in attempt was with a wrong password, ppolicy adds a pwdFailureTime attribute to the account, and then trying to run the ldif file above results in:
$ ldapmodify -x -D "cn=admin,dc=[redacted],dc=ca" -W -H ldap:// -f pwreset.ldif
Enter LDAP Password:
modifying entry "uid=anton,ou=accounts,dc=[redacted],dc=ca"
ldap_modify: No such attribute (16)
additional info: modify/delete: pwdFailureTime: no such attribute
If I try deleting the pwdFailureTime attribute before resetting the password, then I get:
ldap_modify: Constraint violation (19)
additional info: pwdFailureTime: no user modification allowed
In real life, if a user's forgotten their password and needs it reset, they will generally have tried to recall the password several times, so will have the pwdFailureTime attribute set. Any suggestions?
ldap openldap
asked Jun 9 '17 at 15:13
AntonAnton
162
bumped to the homepage by Community♦ 37 secs ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I've set up an LDAP server with the ppolicy overlay, but now am having trouble resetting user's password in some cases: if the user has a failed login, then the pwdFailureTime attribute exists and ldapmodify fails complaining that it doesn't.
If my most recent log-in attempt was successful, then I can bind as cn=admin and run the ldif file:
dn: uid=anton,ou=accounts,dc=[redacted],dc=ca
changetype: modify
replace: userPassword
userPassword: foobar
-
replace: pwdReset
pwdReset: TRUE
which succeeds. However, if the last log-in attempt was with a wrong password, ppolicy adds a pwdFailureTime attribute to the account, and then trying to run the ldif file above results in:
$ ldapmodify -x -D "cn=admin,dc=[redacted],dc=ca" -W -H ldap:// -f pwreset.ldif
Enter LDAP Password:
modifying entry "uid=anton,ou=accounts,dc=[redacted],dc=ca"
ldap_modify: No such attribute (16)
additional info: modify/delete: pwdFailureTime: no such attribute
If I try deleting the pwdFailureTime attribute before resetting the password, then I get:
ldap_modify: Constraint violation (19)
additional info: pwdFailureTime: no user modification allowed
In real life, if a user's forgotten their password and needs it reset, they will generally have tried to recall the password several times, so will have the pwdFailureTime attribute set. Any suggestions?
ldap openldap
asked Jun 9 '17 at 15:13
AntonAnton
162
I've set up an LDAP server with the ppolicy overlay, but now am having trouble resetting user's password in some cases: if the user has a failed login, then the pwdFailureTime attribute exists and ldapmodify fails complaining that it doesn't.
If my most recent log-in attempt was successful, then I can bind as cn=admin and run the ldif file:
dn: uid=anton,ou=accounts,dc=[redacted],dc=ca
changetype: modify
replace: userPassword
userPassword: foobar
-
replace: pwdReset
pwdReset: TRUE
which succeeds. However, if the last log-in attempt was with a wrong password, ppolicy adds a pwdFailureTime attribute to the account, and then trying to run the ldif file above results in:
$ ldapmodify -x -D "cn=admin,dc=[redacted],dc=ca" -W -H ldap:// -f pwreset.ldif
Enter LDAP Password:
modifying entry "uid=anton,ou=accounts,dc=[redacted],dc=ca"
ldap_modify: No such attribute (16)
additional info: modify/delete: pwdFailureTime: no such attribute
If I try deleting the pwdFailureTime attribute before resetting the password, then I get:
ldap_modify: Constraint violation (19)
additional info: pwdFailureTime: no user modification allowed
In real life, if a user's forgotten their password and needs it reset, they will generally have tried to recall the password several times, so will have the pwdFailureTime attribute set. Any suggestions?
ldap openldap
ldap openldap
asked Jun 9 '17 at 15:13
AntonAnton
162
asked Jun 9 '17 at 15:13
AntonAnton
162
asked Jun 9 '17 at 15:13
AntonAnton
162
asked Jun 9 '17 at 15:13
AntonAnton
162
asked Jun 9 '17 at 15:13
AntonAnton
162
162
bumped to the homepage by Community♦ 37 secs ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 37 secs ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
As for the IETF draft states :
8.2.7. Policy State Updates
If the steps have completed without causing an error condition, the
server performs the following steps in order to update the necessary
password policy state attributes:
If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
updates the pwdChangedTime attribute on the entry to the current time.
If the value of pwdInHistory is non-zero, the server adds the previous
password (if one existed) to the pwdHistory attribute. If the number
of attributes held in the pwdHistory attribute exceeds the value of
pwdInHistory, the server removes the oldest excess passwords.
If the value the pwdMustChange is TRUE and the modification is
performed by a password administrator, then the pwdReset attribute is
set to TRUE. Otherwise, the pwdReset is removed from the user's entry
if it exists.
The pwdFailureTime and pwdGraceUseTime attributes is removed from the
user's entry if they exist.
If I'm not mistaken, LDIF is atomic operations, so when the userPassword is modified, it chains to removing the pwdFailureTime attribute, hence why when the modification of pwdReset which seems to trigger also the removing of pwdFailureTime fails.
Why do you need to set the pwdReset to TRUE ? You already reset it. If it is to ensure that the user must "reset" himself the password at the first connection :
may be try instead to modify the pwsMustChange attribute to TRUE, which should set the pwdReset attribute to TRUE(according to the IETF on which is based the OpenLDAP ppolicy)
or may be just switch the two modifications on the LDIF could do the trick.
answered Jun 14 '17 at 10:30
EstebanEsteban
23117
Sorry, didn't get back to this until now. I've left pwdMustChange as FALSE, because mostly my users will be interacting through a web page, which I've put together using PHP, which only has an ldap_modify, which someone with pwdReset=TRUE wouldn't have permission to use... Removing the lines resetting pwdReset doesn't change the error, and I get the same error using phpLdapAdmin, or using ldappasswd at the command line.
– Anton
Jun 22 '17 at 21:18
Ah, however, if I switch the two modifications in the LDIF, then it appears to work. I did hit some other issues, which all seem to centre around the problem that if any policies in ppolicy are triggered, these create internal attributes, and then password changes fail because those attributes don't exist (but only where they actually do). So I guess the workaround for now is to basically not use any of the policies.
– Anton
Jun 22 '17 at 22:32
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f854890%2fldap-with-ppolicy-errors-on-changing-other-users-password%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
As for the IETF draft states :
8.2.7. Policy State Updates
If the steps have completed without causing an error condition, the
server performs the following steps in order to update the necessary
password policy state attributes:
If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
updates the pwdChangedTime attribute on the entry to the current time.
If the value of pwdInHistory is non-zero, the server adds the previous
password (if one existed) to the pwdHistory attribute. If the number
of attributes held in the pwdHistory attribute exceeds the value of
pwdInHistory, the server removes the oldest excess passwords.
If the value the pwdMustChange is TRUE and the modification is
performed by a password administrator, then the pwdReset attribute is
set to TRUE. Otherwise, the pwdReset is removed from the user's entry
if it exists.
The pwdFailureTime and pwdGraceUseTime attributes is removed from the
user's entry if they exist.
If I'm not mistaken, LDIF is atomic operations, so when the userPassword is modified, it chains to removing the pwdFailureTime attribute, hence why when the modification of pwdReset which seems to trigger also the removing of pwdFailureTime fails.
Why do you need to set the pwdReset to TRUE ? You already reset it. If it is to ensure that the user must "reset" himself the password at the first connection :
may be try instead to modify the pwsMustChange attribute to TRUE, which should set the pwdReset attribute to TRUE(according to the IETF on which is based the OpenLDAP ppolicy)
or may be just switch the two modifications on the LDIF could do the trick.
answered Jun 14 '17 at 10:30
EstebanEsteban
23117
Sorry, didn't get back to this until now. I've left pwdMustChange as FALSE, because mostly my users will be interacting through a web page, which I've put together using PHP, which only has an ldap_modify, which someone with pwdReset=TRUE wouldn't have permission to use... Removing the lines resetting pwdReset doesn't change the error, and I get the same error using phpLdapAdmin, or using ldappasswd at the command line.
– Anton
Jun 22 '17 at 21:18
Ah, however, if I switch the two modifications in the LDIF, then it appears to work. I did hit some other issues, which all seem to centre around the problem that if any policies in ppolicy are triggered, these create internal attributes, and then password changes fail because those attributes don't exist (but only where they actually do). So I guess the workaround for now is to basically not use any of the policies.
– Anton
Jun 22 '17 at 22:32
add a comment |
As for the IETF draft states :
8.2.7. Policy State Updates
If the steps have completed without causing an error condition, the
server performs the following steps in order to update the necessary
password policy state attributes:
If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
updates the pwdChangedTime attribute on the entry to the current time.
If the value of pwdInHistory is non-zero, the server adds the previous
password (if one existed) to the pwdHistory attribute. If the number
of attributes held in the pwdHistory attribute exceeds the value of
pwdInHistory, the server removes the oldest excess passwords.
If the value the pwdMustChange is TRUE and the modification is
performed by a password administrator, then the pwdReset attribute is
set to TRUE. Otherwise, the pwdReset is removed from the user's entry
if it exists.
The pwdFailureTime and pwdGraceUseTime attributes is removed from the
user's entry if they exist.
If I'm not mistaken, LDIF is atomic operations, so when the userPassword is modified, it chains to removing the pwdFailureTime attribute, hence why when the modification of pwdReset which seems to trigger also the removing of pwdFailureTime fails.
Why do you need to set the pwdReset to TRUE ? You already reset it. If it is to ensure that the user must "reset" himself the password at the first connection :
may be try instead to modify the pwsMustChange attribute to TRUE, which should set the pwdReset attribute to TRUE(according to the IETF on which is based the OpenLDAP ppolicy)
or may be just switch the two modifications on the LDIF could do the trick.
answered Jun 14 '17 at 10:30
EstebanEsteban
23117
Sorry, didn't get back to this until now. I've left pwdMustChange as FALSE, because mostly my users will be interacting through a web page, which I've put together using PHP, which only has an ldap_modify, which someone with pwdReset=TRUE wouldn't have permission to use... Removing the lines resetting pwdReset doesn't change the error, and I get the same error using phpLdapAdmin, or using ldappasswd at the command line.
– Anton
Jun 22 '17 at 21:18
Ah, however, if I switch the two modifications in the LDIF, then it appears to work. I did hit some other issues, which all seem to centre around the problem that if any policies in ppolicy are triggered, these create internal attributes, and then password changes fail because those attributes don't exist (but only where they actually do). So I guess the workaround for now is to basically not use any of the policies.
– Anton
Jun 22 '17 at 22:32
add a comment |
As for the IETF draft states :
8.2.7. Policy State Updates
If the steps have completed without causing an error condition, the
server performs the following steps in order to update the necessary
password policy state attributes:
If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
updates the pwdChangedTime attribute on the entry to the current time.
If the value of pwdInHistory is non-zero, the server adds the previous
password (if one existed) to the pwdHistory attribute. If the number
of attributes held in the pwdHistory attribute exceeds the value of
pwdInHistory, the server removes the oldest excess passwords.
If the value the pwdMustChange is TRUE and the modification is
performed by a password administrator, then the pwdReset attribute is
set to TRUE. Otherwise, the pwdReset is removed from the user's entry
if it exists.
The pwdFailureTime and pwdGraceUseTime attributes is removed from the
user's entry if they exist.
If I'm not mistaken, LDIF is atomic operations, so when the userPassword is modified, it chains to removing the pwdFailureTime attribute, hence why when the modification of pwdReset which seems to trigger also the removing of pwdFailureTime fails.
Why do you need to set the pwdReset to TRUE ? You already reset it. If it is to ensure that the user must "reset" himself the password at the first connection :
may be try instead to modify the pwsMustChange attribute to TRUE, which should set the pwdReset attribute to TRUE(according to the IETF on which is based the OpenLDAP ppolicy)
or may be just switch the two modifications on the LDIF could do the trick.
answered Jun 14 '17 at 10:30
EstebanEsteban
23117
As for the IETF draft states :
8.2.7. Policy State Updates
If the steps have completed without causing an error condition, the
server performs the following steps in order to update the necessary
password policy state attributes:
If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
updates the pwdChangedTime attribute on the entry to the current time.
If the value of pwdInHistory is non-zero, the server adds the previous
password (if one existed) to the pwdHistory attribute. If the number
of attributes held in the pwdHistory attribute exceeds the value of
pwdInHistory, the server removes the oldest excess passwords.
If the value the pwdMustChange is TRUE and the modification is
performed by a password administrator, then the pwdReset attribute is
set to TRUE. Otherwise, the pwdReset is removed from the user's entry
if it exists.
The pwdFailureTime and pwdGraceUseTime attributes is removed from the
user's entry if they exist.
If I'm not mistaken, LDIF is atomic operations, so when the userPassword is modified, it chains to removing the pwdFailureTime attribute, hence why when the modification of pwdReset which seems to trigger also the removing of pwdFailureTime fails.
Why do you need to set the pwdReset to TRUE ? You already reset it. If it is to ensure that the user must "reset" himself the password at the first connection :
may be try instead to modify the pwsMustChange attribute to TRUE, which should set the pwdReset attribute to TRUE(according to the IETF on which is based the OpenLDAP ppolicy)
or may be just switch the two modifications on the LDIF could do the trick.
answered Jun 14 '17 at 10:30
EstebanEsteban
23117
answered Jun 14 '17 at 10:30
EstebanEsteban
23117
answered Jun 14 '17 at 10:30
EstebanEsteban
23117
answered Jun 14 '17 at 10:30
EstebanEsteban
23117
23117
Sorry, didn't get back to this until now. I've left pwdMustChange as FALSE, because mostly my users will be interacting through a web page, which I've put together using PHP, which only has an ldap_modify, which someone with pwdReset=TRUE wouldn't have permission to use... Removing the lines resetting pwdReset doesn't change the error, and I get the same error using phpLdapAdmin, or using ldappasswd at the command line.
– Anton
Jun 22 '17 at 21:18
Ah, however, if I switch the two modifications in the LDIF, then it appears to work. I did hit some other issues, which all seem to centre around the problem that if any policies in ppolicy are triggered, these create internal attributes, and then password changes fail because those attributes don't exist (but only where they actually do). So I guess the workaround for now is to basically not use any of the policies.
– Anton
Jun 22 '17 at 22:32
add a comment |
Sorry, didn't get back to this until now. I've left pwdMustChange as FALSE, because mostly my users will be interacting through a web page, which I've put together using PHP, which only has an ldap_modify, which someone with pwdReset=TRUE wouldn't have permission to use... Removing the lines resetting pwdReset doesn't change the error, and I get the same error using phpLdapAdmin, or using ldappasswd at the command line.
– Anton
Jun 22 '17 at 21:18
Ah, however, if I switch the two modifications in the LDIF, then it appears to work. I did hit some other issues, which all seem to centre around the problem that if any policies in ppolicy are triggered, these create internal attributes, and then password changes fail because those attributes don't exist (but only where they actually do). So I guess the workaround for now is to basically not use any of the policies.
– Anton
Jun 22 '17 at 22:32
Sorry, didn't get back to this until now. I've left pwdMustChange as FALSE, because mostly my users will be interacting through a web page, which I've put together using PHP, which only has an ldap_modify, which someone with pwdReset=TRUE wouldn't have permission to use... Removing the lines resetting pwdReset doesn't change the error, and I get the same error using phpLdapAdmin, or using ldappasswd at the command line.
– Anton
Jun 22 '17 at 21:18
Sorry, didn't get back to this until now. I've left pwdMustChange as FALSE, because mostly my users will be interacting through a web page, which I've put together using PHP, which only has an ldap_modify, which someone with pwdReset=TRUE wouldn't have permission to use... Removing the lines resetting pwdReset doesn't change the error, and I get the same error using phpLdapAdmin, or using ldappasswd at the command line.
– Anton
Jun 22 '17 at 21:18
Ah, however, if I switch the two modifications in the LDIF, then it appears to work. I did hit some other issues, which all seem to centre around the problem that if any policies in ppolicy are triggered, these create internal attributes, and then password changes fail because those attributes don't exist (but only where they actually do). So I guess the workaround for now is to basically not use any of the policies.
– Anton
Jun 22 '17 at 22:32
Ah, however, if I switch the two modifications in the LDIF, then it appears to work. I did hit some other issues, which all seem to centre around the problem that if any policies in ppolicy are triggered, these create internal attributes, and then password changes fail because those attributes don't exist (but only where they actually do). So I guess the workaround for now is to basically not use any of the policies.
– Anton
Jun 22 '17 at 22:32
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f854890%2fldap-with-ppolicy-errors-on-changing-other-users-password%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
