Tuesday, September 28, 2021

[389-users] Re: passwordAdminDN help

On 9/28/21 5:53 PM, Morgan Jones wrote:
> May I have a sanity check here? I am attempting to add pre-hashed passwords to users. If I've read the documentation correctly this should work. I've also tried putting uid=selectivesync389,ou=svc_accts,dc=domain,dc=org directly in passwordAdminDN:
>
>
> morgan@woodrow-2 ~ % ldapsearch -H ldaps://tstds21.domain.org -x -w pass -D cn=directory\ manager -LLLb cn=config -s base objectclass=\* passwordAdminDN
> dn: cn=config
> passwordAdminDN: cn=Passwd Admins,ou=groups,dc=domain,dc=org
>
> morgan@woodrow-2 ~ %
>
>
> morgan@woodrow-2 ~ % ldapsearch -H ldaps://tstds21.domain.org -x -w pass -D cn=directory\ manager -LLLb dc=domain,dc=org cn=passwd\ admins
> dn: cn=Passwd Admins,ou=groups,dc=domain,dc=org
> description: password admins
> objectClass: top
> objectClass: groupofuniquenames
> cn: Passwd Admins
> uniqueMember: uid=selectivesync389,ou=svc_accts,dc=domain,dc=org
>
> morgan@woodrow-2 ~ %
>
>
> morgan@woodrow-2 ~ % ldapmodify -a -w pass -D uid=selectivesync389,ou=svc_accts,dc=domain,dc=org -H ldaps://tstds21.domain.org
> dn: uid=zimbratest06,ou=employees,dc=domain,dc=org
> changetype: modify
> replace: userpassword
> userpassword: {SHA}hrJ6x38+yn2LiTm1qqkGjNXAh8I=
>
> modifying entry "uid=zimbratest06,ou=employees,dc=domain,dc=org"
> ldap_modify: Constraint violation (19)
> additional info: invalid password syntax - passwords with storage scheme are not allowed
>
> morgan@woodrow-2 ~ %
>
>
> We're running 1.3.10 on CentOS 7.9:
>
> [root@tstds21 morgan]# cat /etc/redhat-release
> CentOS Linux release 7.9.2009 (Core)
> [root@tstds21 morgan]# rpm -qa|grep 389
> 389-adminutil-1.1.22-2.el7.x86_64
> 389-ds-base-1.3.10.2-10.el7_9.x86_64
> 389-ds-console-doc-1.2.16-1.el7.noarch
> 389-ds-base-libs-1.3.10.2-10.el7_9.x86_64
> 389-console-1.1.19-6.el7.noarch
> 389-ds-console-1.2.16-1.el7.noarch
> 389-dsgw-1.1.11-5.el7.x86_64
> 389-admin-console-1.1.12-1.el7.noarch
> 389-ds-1.2.2-6.el7.noarch
> 389-admin-console-doc-1.1.12-1.el7.noarch
> 389-admin-1.1.46-4.el7.x86_64
> [root@tstds21 morgan]#
>
>
>
> Am I missing something?? thank you!

You are not, you set it up correctly.  One thing you did not list was
that you are supposed to add an aci that allows that group to update the
userpassword attribute, but that would not explain the constraint
violation.  It could be a bug.

One quick question, are you also using a subtree/local password policy
that might be conflicting with the global password policy? Local
policies override the global policy.

Mark

>
> -morgan
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment