David, On Sat, May 30, 2015 at 3:12 AM, David Paulsen <[email protected]> wrote:
> David Paulsen <dave.paulsen@...> writes: > > > > > Kiran Ayyagari <kayyagari <at> ...> writes: > > > > > > > > On Fri, May 29, 2015 at 2:13 AM, David Paulsen <dave.paulsen <at> > ...> > > > wrote: > > > > > > > I'm running in to a strange issue. I have two separate servers > > running the > > > > official 2.0.0-M20 release. In one instance I can change the > > password to > > > > anything I want (including the same password) when I bind to the > > > > connection using the built in admin user (dn=uid=admin,ou=system). > > In > > > > another instance running the same version of the 2.0.0-M20 > release, > > that > > > > exact same operation (again bound as admin user) results in the > > following > > > > error: invalid reuse of password present in password history > > > > > > > you sure that this is happening during bind? this check is performed > > only > > > while updating the password of a user (excluding admin user) > > > > > > > > > > > It should never enforce the password policy for the admin user, > > correct? > > > > Any idea what could be causing it to enforce the policy in one M20 > > > > instance and not the other? > > > > > > > > > > > Thanks! > > > > > > > > > > > > > > > Hi Kiran... > > > > Right. It didn't happen during bind, it happened when I tried to > update > > the password to the same value after binding as the > > dn=uid=admin,ou=system user. > > > > > I found a way to recreate this problem. I believe the issue is that when > bound to a connection using the "uid=admin,ou=system" user, it enforces > the ads-pwdInHistory in the password policy of the uid I'm changing the > password for. For example, if I'm changing the password for > uid=147547,ou=8300,ou=DVHead,dc=kewilltransport,dc=com, and that uid has > a pwdPolicySubentry=ads-pwdId=DVHead8300,ou=passwordPolicies,ads- > interceptorId=authenticationInterceptor,ou=interceptors,ads- > directoryServiceId=default,ou=config, it enforces the ads- > pwdId=DVHead8300 policy's ads-pwdInHistory setting even with the admin > user. > > My understanding is that since it's the admin user, it should not be > enforcing any password policy rules. > > Steps: > (1) Create a password policy where the ads-pwdInHistory is greater than > 0 so it enforces not reusing passwords. > (2) Create a uid and set it's pwdPolicySubentry to the above password > policy. > (3) Create a connection and bind to it using the "uid=admin,ou=system" > user, and then modify password for the above uid. You will get this > error: > error: invalid reuse of password present in password history > can you file a bug, I will take a look. thank you -- Kiran Ayyagari http://keydap.com
