> On Sep 28, 2021, at 6:09 PM, Mark Reynolds <mreyno...@redhat.com> wrote: > > You are not, you set it up correctly. One thing you did not list was that > you are supposed to add an aci that allows that group to update the > userpassword attribute, but that would not explain the constraint violation. > It could be a bug. > > One quick question, are you also using a subtree/local password policy that > might be conflicting with the global password policy? Local policies override > the global policy. > > Mark
Mark, Thank you for the quick response! I do have an aci set up and I can update passwords as uid=selectivesync389,ou=svc_accts,dc=domain,dc=org if I pass in a plain text password. I don’t believe we have a subtree/local policy but we did import this data from an ancient 389 install that we’re upgrading from. Does this answer your question? We dabbled a bit in local policies a few years ago but finally just set policies globally in cn=config. That knowledge is old but my notes say this should return subtree/local policies: morgan@woodrow-2 ~ % ldapsearch -LLL -H ldaps://tstds21.domain -D cn=directory\ manager -x -w pass '(objectclass=passwordpolicy)' morgan@woodrow-2 ~ % please correct me if my search is wrong. thanks, -morgan _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure