You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by David Paulsen <da...@kewill.com> on 2015/05/28 20:13:29 UTC
Password Policy Enforced for admin user
I'm running in to a strange issue. I have two separate servers running the
official 2.0.0-M20 release. In one instance I can change the password to
anything I want (including the same password) when I bind to the
connection using the built in admin user (dn=uid=admin,ou=system). In
another instance running the same version of the 2.0.0-M20 release, that
exact same operation (again bound as admin user) results in the following
error: invalid reuse of password present in password history
It should never enforce the password policy for the admin user, correct?
Any idea what could be causing it to enforce the policy in one M20
instance and not the other?
Thanks!
Re: Password Policy Enforced for admin user
Posted by Kiran Ayyagari <ka...@apache.org>.
On Tue, Jun 9, 2015 at 9:40 PM, David Paulsen <da...@kewill.com>
wrote:
>
> > Bug created:
> > https://issues.apache.org/jira/browse/DIRSERVER-2067
> >
> >
> Will this bug be fixed in the next release?
>
yes, certainly
--
Kiran Ayyagari
http://keydap.com
Re: Password Policy Enforced for admin user
Posted by David Paulsen <da...@kewill.com>.
> Bug created:
> https://issues.apache.org/jira/browse/DIRSERVER-2067
>
>
Will this bug be fixed in the next release?
Re: Password Policy Enforced for admin user
Posted by David Paulsen <da...@kewill.com>.
> can you file a bug, I will take a look.
>
> thank you
>
Bug created:
https://issues.apache.org/jira/browse/DIRSERVER-2067
Re: Password Policy Enforced for admin user
Posted by Kiran Ayyagari <ka...@apache.org>.
David,
On Sat, May 30, 2015 at 3:12 AM, David Paulsen <da...@kewill.com>
wrote:
> David Paulsen <da...@...> writes:
>
> >
> > Kiran Ayyagari <kayyagari <at> ...> writes:
> >
> > >
> > > On Fri, May 29, 2015 at 2:13 AM, David Paulsen <dave.paulsen <at>
> ...>
> > > wrote:
> > >
> > > > I'm running in to a strange issue. I have two separate servers
> > running the
> > > > official 2.0.0-M20 release. In one instance I can change the
> > password to
> > > > anything I want (including the same password) when I bind to the
> > > > connection using the built in admin user (dn=uid=admin,ou=system).
> > In
> > > > another instance running the same version of the 2.0.0-M20
> release,
> > that
> > > > exact same operation (again bound as admin user) results in the
> > following
> > > > error: invalid reuse of password present in password history
> > > >
> > > you sure that this is happening during bind? this check is performed
> > only
> > > while updating the password of a user (excluding admin user)
> > >
> > > >
> > > > It should never enforce the password policy for the admin user,
> > correct?
> > > > Any idea what could be causing it to enforce the policy in one M20
> > > > instance and not the other?
> > > >
> > >
> > > > Thanks!
> > > >
> > > >
> > >
> >
> > Hi Kiran...
> >
> > Right. It didn't happen during bind, it happened when I tried to
> update
> > the password to the same value after binding as the
> > dn=uid=admin,ou=system user.
> >
> >
> I found a way to recreate this problem. I believe the issue is that when
> bound to a connection using the "uid=admin,ou=system" user, it enforces
> the ads-pwdInHistory in the password policy of the uid I'm changing the
> password for. For example, if I'm changing the password for
> uid=147547,ou=8300,ou=DVHead,dc=kewilltransport,dc=com, and that uid has
> a pwdPolicySubentry=ads-pwdId=DVHead8300,ou=passwordPolicies,ads-
> interceptorId=authenticationInterceptor,ou=interceptors,ads-
> directoryServiceId=default,ou=config, it enforces the ads-
> pwdId=DVHead8300 policy's ads-pwdInHistory setting even with the admin
> user.
>
> My understanding is that since it's the admin user, it should not be
> enforcing any password policy rules.
>
> Steps:
> (1) Create a password policy where the ads-pwdInHistory is greater than
> 0 so it enforces not reusing passwords.
> (2) Create a uid and set it's pwdPolicySubentry to the above password
> policy.
> (3) Create a connection and bind to it using the "uid=admin,ou=system"
> user, and then modify password for the above uid. You will get this
> error:
> error: invalid reuse of password present in password history
>
can you file a bug, I will take a look.
thank you
--
Kiran Ayyagari
http://keydap.com
Re: Password Policy Enforced for admin user
Posted by David Paulsen <da...@kewill.com>.
David Paulsen <da...@...> writes:
>
> Kiran Ayyagari <kayyagari <at> ...> writes:
>
> >
> > On Fri, May 29, 2015 at 2:13 AM, David Paulsen <dave.paulsen <at>
...>
> > wrote:
> >
> > > I'm running in to a strange issue. I have two separate servers
> running the
> > > official 2.0.0-M20 release. In one instance I can change the
> password to
> > > anything I want (including the same password) when I bind to the
> > > connection using the built in admin user (dn=uid=admin,ou=system).
> In
> > > another instance running the same version of the 2.0.0-M20
release,
> that
> > > exact same operation (again bound as admin user) results in the
> following
> > > error: invalid reuse of password present in password history
> > >
> > you sure that this is happening during bind? this check is performed
> only
> > while updating the password of a user (excluding admin user)
> >
> > >
> > > It should never enforce the password policy for the admin user,
> correct?
> > > Any idea what could be causing it to enforce the policy in one M20
> > > instance and not the other?
> > >
> >
> > > Thanks!
> > >
> > >
> >
>
> Hi Kiran...
>
> Right. It didn't happen during bind, it happened when I tried to
update
> the password to the same value after binding as the
> dn=uid=admin,ou=system user.
>
>
I found a way to recreate this problem. I believe the issue is that when
bound to a connection using the "uid=admin,ou=system" user, it enforces
the ads-pwdInHistory in the password policy of the uid I'm changing the
password for. For example, if I'm changing the password for
uid=147547,ou=8300,ou=DVHead,dc=kewilltransport,dc=com, and that uid has
a pwdPolicySubentry=ads-pwdId=DVHead8300,ou=passwordPolicies,ads-
interceptorId=authenticationInterceptor,ou=interceptors,ads-
directoryServiceId=default,ou=config, it enforces the ads-
pwdId=DVHead8300 policy's ads-pwdInHistory setting even with the admin
user.
My understanding is that since it's the admin user, it should not be
enforcing any password policy rules.
Steps:
(1) Create a password policy where the ads-pwdInHistory is greater than
0 so it enforces not reusing passwords.
(2) Create a uid and set it's pwdPolicySubentry to the above password
policy.
(3) Create a connection and bind to it using the "uid=admin,ou=system"
user, and then modify password for the above uid. You will get this
error:
error: invalid reuse of password present in password history
Re: Password Policy Enforced for admin user
Posted by David Paulsen <da...@kewill.com>.
Kiran Ayyagari <ka...@...> writes:
>
> On Fri, May 29, 2015 at 2:13 AM, David Paulsen <da...@...>
> wrote:
>
> > I'm running in to a strange issue. I have two separate servers
running the
> > official 2.0.0-M20 release. In one instance I can change the
password to
> > anything I want (including the same password) when I bind to the
> > connection using the built in admin user (dn=uid=admin,ou=system).
In
> > another instance running the same version of the 2.0.0-M20 release,
that
> > exact same operation (again bound as admin user) results in the
following
> > error: invalid reuse of password present in password history
> >
> you sure that this is happening during bind? this check is performed
only
> while updating the password of a user (excluding admin user)
>
> >
> > It should never enforce the password policy for the admin user,
correct?
> > Any idea what could be causing it to enforce the policy in one M20
> > instance and not the other?
> >
>
> > Thanks!
> >
> >
>
Hi Kiran...
Right. It didn't happen during bind, it happened when I tried to update
the password to the same value after binding as the
dn=uid=admin,ou=system user.
Re: Password Policy Enforced for admin user
Posted by Kiran Ayyagari <ka...@apache.org>.
On Fri, May 29, 2015 at 2:13 AM, David Paulsen <da...@kewill.com>
wrote:
> I'm running in to a strange issue. I have two separate servers running the
> official 2.0.0-M20 release. In one instance I can change the password to
> anything I want (including the same password) when I bind to the
> connection using the built in admin user (dn=uid=admin,ou=system). In
> another instance running the same version of the 2.0.0-M20 release, that
> exact same operation (again bound as admin user) results in the following
> error: invalid reuse of password present in password history
>
you sure that this is happening during bind? this check is performed only
while updating the password of a user (excluding admin user)
>
> It should never enforce the password policy for the admin user, correct?
> Any idea what could be causing it to enforce the policy in one M20
> instance and not the other?
>
> Thanks!
>
>
--
Kiran Ayyagari
http://keydap.com