On 9/28/21 5:53 PM, Morgan Jones wrote:
May I have a sanity check here? I am attempting to add pre-hashed passwords to users. If I’ve read the documentation correctly this should work. I’ve also tried putting uid=selectivesync389,ou=svc_accts,dc=domain,dc=org directly in passwordAdminDN:morgan@woodrow-2 ~ % ldapsearch -H ldaps://tstds21.domain.org -x -w pass -D cn=directory\ manager -LLLb cn=config -s base objectclass=\* passwordAdminDN dn: cn=config passwordAdminDN: cn=Passwd Admins,ou=groups,dc=domain,dc=org morgan@woodrow-2 ~ % morgan@woodrow-2 ~ % ldapsearch -H ldaps://tstds21.domain.org -x -w pass -D cn=directory\ manager -LLLb dc=domain,dc=org cn=passwd\ admins dn: cn=Passwd Admins,ou=groups,dc=domain,dc=org description: password admins objectClass: top objectClass: groupofuniquenames cn: Passwd Admins uniqueMember: uid=selectivesync389,ou=svc_accts,dc=domain,dc=org morgan@woodrow-2 ~ % morgan@woodrow-2 ~ % ldapmodify -a -w pass -D uid=selectivesync389,ou=svc_accts,dc=domain,dc=org -H ldaps://tstds21.domain.org dn: uid=zimbratest06,ou=employees,dc=domain,dc=org changetype: modify replace: userpassword userpassword: {SHA}hrJ6x38+yn2LiTm1qqkGjNXAh8I= modifying entry "uid=zimbratest06,ou=employees,dc=domain,dc=org" ldap_modify: Constraint violation (19) additional info: invalid password syntax - passwords with storage scheme are not allowed morgan@woodrow-2 ~ % We’re running 1.3.10 on CentOS 7.9: [root@tstds21 morgan]# cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) [root@tstds21 morgan]# rpm -qa|grep 389 389-adminutil-1.1.22-2.el7.x86_64 389-ds-base-1.3.10.2-10.el7_9.x86_64 389-ds-console-doc-1.2.16-1.el7.noarch 389-ds-base-libs-1.3.10.2-10.el7_9.x86_64 389-console-1.1.19-6.el7.noarch 389-ds-console-1.2.16-1.el7.noarch 389-dsgw-1.1.11-5.el7.x86_64 389-admin-console-1.1.12-1.el7.noarch 389-ds-1.2.2-6.el7.noarch 389-admin-console-doc-1.1.12-1.el7.noarch 389-admin-1.1.46-4.el7.x86_64 [root@tstds21 morgan]# Am I missing something?? thank you!
You are not, you set it up correctly. One thing you did not list was that you are supposed to add an aci that allows that group to update the userpassword attribute, but that would not explain the constraint violation. It could be a bug.
One quick question, are you also using a subtree/local password policy that might be conflicting with the global password policy? Local policies override the global policy.
Mark
-morgan _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Directory Server Development Team _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
