Well I just like to note that you SHOULD NOT want to use a password like that.
It's completely insecure and thus a very BAD idea from a security perspective.
As far as I know, you can override a directory wide password policy per account, so if the restrictions come from there, just change them there, there is a setting that defines how different a next password should be.
If it come from a module in between with similar rules and if you really want to do this, you should also modify it there.
If the module correctly handles LDAP responses regarding password policies, then you should be able to disable the checks there.
It's completely insecure and thus a very BAD idea from a security perspective.
As far as I know, you can override a directory wide password policy per account, so if the restrictions come from there, just change them there, there is a setting that defines how different a next password should be.
If it come from a module in between with similar rules and if you really want to do this, you should also modify it there.
If the module correctly handles LDAP responses regarding password policies, then you should be able to disable the checks there.
On Wed, May 28, 2014 at 11:06 PM, John Trump <trumpjk@gmail.com> wrote:
The issue was being caused by the pam module on the linux systems. Not sure why I have to modify pam module to allow similar paswords when changing ldap passwords.On Wed, May 28, 2014 at 4:24 PM, Mark Reynolds <mareynol@redhat.com> wrote:How are you changing the password, are you using ldapmodify? Can you post access log(/var/log/dirsrv/slapd-INSTANCE/access) output showing the failed password attempt?
On 05/28/2014 04:21 PM, John Trump wrote:
Not using any other client app. User logged on to a linux system and trying to change password. If they choose a password to similar to the old one it will not allow it.
On Wed, May 28, 2014 at 4:14 PM, Mark Reynolds <mareynol@redhat.com> wrote:
I'm not aware of a setting in 389 that prohibits you from using secret01, then secret02, and then secret03, etc. These should all be allowed. Are you using some other client app(freeIPA?) to make these password updates?
On 05/28/2014 04:06 PM, John Trump wrote:
Haven't been able to come up with a solution yet. Hopefully someone on the list has a suggestion.
On Fri, May 23, 2014 at 12:42 PM, John Trump <trumpjk@gmail.com> wrote:
I would like to relax the password policy for specific users to allow them to modify passwords but use similar password to their old one. These are "group" accounts and would like to allow password to be set to: password01 then allow password to be changed to password02. Currently this is not allowed. I understand security risk etc in allowing this. I do want to keep other password complexity and history settings.
Suggestions?
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
No comments:
Post a Comment