[389-users] Re: passwordAdminDN help
> On Sep 28, 2021, at 6:09 PM, Mark Reynolds wrote: > > You are not, you set it up correctly. One thing you did not list was that > you are supposed to add an aci that allows that group to update the > userpassword attribute, but that would not explain the constraint violation. > It could be a bug. > > One quick question, are you also using a subtree/local password policy that > might be conflicting with the global password policy? Local policies override > the global policy. > > Mark Mark, Thank you for the quick response! I do have an aci set up and I can update passwords as uid=selectivesync389,ou=svc_accts,dc=domain,dc=org if I pass in a plain text password. I don’t believe we have a subtree/local policy but we did import this data from an ancient 389 install that we’re upgrading from. Does this answer your question? We dabbled a bit in local policies a few years ago but finally just set policies globally in cn=config. That knowledge is old but my notes say this should return subtree/local policies: morgan@woodrow-2 ~ % ldapsearch -LLL -H ldaps://tstds21.domain -D cn=directory\ manager -x -w pass '(objectclass=passwordpolicy)' morgan@woodrow-2 ~ % please correct me if my search is wrong. thanks, -morgan ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[389-users] Re: passwordAdminDN help
On 9/28/21 5:53 PM, Morgan Jones wrote:
May I have a sanity check here? I am attempting to add pre-hashed passwords to
users. If I’ve read the documentation correctly this should work. I’ve also
tried putting uid=selectivesync389,ou=svc_accts,dc=domain,dc=org directly in
passwordAdminDN:
morgan@woodrow-2 ~ % ldapsearch -H ldaps://tstds21.domain.org -x -w pass -D
cn=directory\ manager -LLLb cn=config -s base objectclass=\* passwordAdminDN
dn: cn=config
passwordAdminDN: cn=Passwd Admins,ou=groups,dc=domain,dc=org
morgan@woodrow-2 ~ %
morgan@woodrow-2 ~ % ldapsearch -H ldaps://tstds21.domain.org -x -w pass -D
cn=directory\ manager -LLLb dc=domain,dc=org cn=passwd\ admins
dn: cn=Passwd Admins,ou=groups,dc=domain,dc=org
description: password admins
objectClass: top
objectClass: groupofuniquenames
cn: Passwd Admins
uniqueMember: uid=selectivesync389,ou=svc_accts,dc=domain,dc=org
morgan@woodrow-2 ~ %
morgan@woodrow-2 ~ % ldapmodify -a -w pass -D
uid=selectivesync389,ou=svc_accts,dc=domain,dc=org -H ldaps://tstds21.domain.org
dn: uid=zimbratest06,ou=employees,dc=domain,dc=org
changetype: modify
replace: userpassword
userpassword: {SHA}hrJ6x38+yn2LiTm1qqkGjNXAh8I=
modifying entry "uid=zimbratest06,ou=employees,dc=domain,dc=org"
ldap_modify: Constraint violation (19)
additional info: invalid password syntax - passwords with storage
scheme are not allowed
morgan@woodrow-2 ~ %
We’re running 1.3.10 on CentOS 7.9:
[root@tstds21 morgan]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@tstds21 morgan]# rpm -qa|grep 389
389-adminutil-1.1.22-2.el7.x86_64
389-ds-base-1.3.10.2-10.el7_9.x86_64
389-ds-console-doc-1.2.16-1.el7.noarch
389-ds-base-libs-1.3.10.2-10.el7_9.x86_64
389-console-1.1.19-6.el7.noarch
389-ds-console-1.2.16-1.el7.noarch
389-dsgw-1.1.11-5.el7.x86_64
389-admin-console-1.1.12-1.el7.noarch
389-ds-1.2.2-6.el7.noarch
389-admin-console-doc-1.1.12-1.el7.noarch
389-admin-1.1.46-4.el7.x86_64
[root@tstds21 morgan]#
Am I missing something?? thank you!
You are not, you set it up correctly. One thing you did not list was
that you are supposed to add an aci that allows that group to update the
userpassword attribute, but that would not explain the constraint
violation. It could be a bug.
One quick question, are you also using a subtree/local password policy
that might be conflicting with the global password policy? Local
policies override the global policy.
Mark
-morgan
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[389-users] passwordAdminDN help
May I have a sanity check here? I am attempting to add pre-hashed passwords to
users. If I’ve read the documentation correctly this should work. I’ve also
tried putting uid=selectivesync389,ou=svc_accts,dc=domain,dc=org directly in
passwordAdminDN:
morgan@woodrow-2 ~ % ldapsearch -H ldaps://tstds21.domain.org -x -w pass -D
cn=directory\ manager -LLLb cn=config -s base objectclass=\* passwordAdminDN
dn: cn=config
passwordAdminDN: cn=Passwd Admins,ou=groups,dc=domain,dc=org
morgan@woodrow-2 ~ %
morgan@woodrow-2 ~ % ldapsearch -H ldaps://tstds21.domain.org -x -w pass -D
cn=directory\ manager -LLLb dc=domain,dc=org cn=passwd\ admins
dn: cn=Passwd Admins,ou=groups,dc=domain,dc=org
description: password admins
objectClass: top
objectClass: groupofuniquenames
cn: Passwd Admins
uniqueMember: uid=selectivesync389,ou=svc_accts,dc=domain,dc=org
morgan@woodrow-2 ~ %
morgan@woodrow-2 ~ % ldapmodify -a -w pass -D
uid=selectivesync389,ou=svc_accts,dc=domain,dc=org -H ldaps://tstds21.domain.org
dn: uid=zimbratest06,ou=employees,dc=domain,dc=org
changetype: modify
replace: userpassword
userpassword: {SHA}hrJ6x38+yn2LiTm1qqkGjNXAh8I=
modifying entry "uid=zimbratest06,ou=employees,dc=domain,dc=org"
ldap_modify: Constraint violation (19)
additional info: invalid password syntax - passwords with storage
scheme are not allowed
morgan@woodrow-2 ~ %
We’re running 1.3.10 on CentOS 7.9:
[root@tstds21 morgan]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@tstds21 morgan]# rpm -qa|grep 389
389-adminutil-1.1.22-2.el7.x86_64
389-ds-base-1.3.10.2-10.el7_9.x86_64
389-ds-console-doc-1.2.16-1.el7.noarch
389-ds-base-libs-1.3.10.2-10.el7_9.x86_64
389-console-1.1.19-6.el7.noarch
389-ds-console-1.2.16-1.el7.noarch
389-dsgw-1.1.11-5.el7.x86_64
389-admin-console-1.1.12-1.el7.noarch
389-ds-1.2.2-6.el7.noarch
389-admin-console-doc-1.1.12-1.el7.noarch
389-admin-1.1.46-4.el7.x86_64
[root@tstds21 morgan]#
Am I missing something?? thank you!
-morgan
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
