You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@directory.apache.org by David Paulsen <da...@kewill.com> on 2015/05/28 20:13:29 UTC

Password Policy Enforced for admin user

I'm running in to a strange issue. I have two separate servers running the  
official 2.0.0-M20 release. In one instance I can change the password to 
anything I want (including the same password) when I bind to the 
connection using the built in admin user (dn=uid=admin,ou=system). In 
another instance running the same version of the 2.0.0-M20 release, that 
exact same operation (again bound as admin user) results in the following 
error: invalid reuse of password present in password history

It should never enforce the password policy for the admin user, correct? 
Any idea what could be causing it to enforce the policy in one M20 
instance and not the other?

Thanks!

Re: Password Policy Enforced for admin user

Posted by Kiran Ayyagari <ka...@apache.org>.

On Tue, Jun 9, 2015 at 9:40 PM, David Paulsen <da...@kewill.com>
wrote:

>
> > Bug created:
> > https://issues.apache.org/jira/browse/DIRSERVER-2067
> >
> >
> Will this bug be fixed in the next release?
>
yes, certainly



-- 
Kiran Ayyagari
http://keydap.com

Re: Password Policy Enforced for admin user

Posted by David Paulsen <da...@kewill.com>.

> Bug created:
> https://issues.apache.org/jira/browse/DIRSERVER-2067
> 
> 
Will this bug be fixed in the next release?

Re: Password Policy Enforced for admin user

Posted by David Paulsen <da...@kewill.com>.

> can you file a bug, I will take a look.
> 
> thank you
> 

Bug created:
https://issues.apache.org/jira/browse/DIRSERVER-2067

Re: Password Policy Enforced for admin user

Posted by Kiran Ayyagari <ka...@apache.org>.

David,

On Sat, May 30, 2015 at 3:12 AM, David Paulsen <da...@kewill.com>
wrote:

> David Paulsen <da...@...> writes:
>
> >
> > Kiran Ayyagari <kayyagari <at> ...> writes:
> >
> > >
> > > On Fri, May 29, 2015 at 2:13 AM, David Paulsen <dave.paulsen <at>
> ...>
> > > wrote:
> > >
> > > > I'm running in to a strange issue. I have two separate servers
> > running the
> > > > official 2.0.0-M20 release. In one instance I can change the
> > password to
> > > > anything I want (including the same password) when I bind to the
> > > > connection using the built in admin user (dn=uid=admin,ou=system).
> > In
> > > > another instance running the same version of the 2.0.0-M20
> release,
> > that
> > > > exact same operation (again bound as admin user) results in the
> > following
> > > > error: invalid reuse of password present in password history
> > > >
> > > you sure that this is happening during bind? this check is performed
> > only
> > > while updating the password of a user (excluding admin user)
> > >
> > > >
> > > > It should never enforce the password policy for the admin user,
> > correct?
> > > > Any idea what could be causing it to enforce the policy in one M20
> > > > instance and not the other?
> > > >
> > >
> > > > Thanks!
> > > >
> > > >
> > >
> >
> > Hi Kiran...
> >
> > Right. It didn't happen during bind, it happened when I tried to
> update
> > the password to the same value after binding as the
> > dn=uid=admin,ou=system user.
> >
> >
> I found a way to recreate this problem. I believe the issue is that when
> bound to a connection using the "uid=admin,ou=system" user, it enforces
> the ads-pwdInHistory in the password policy of the uid I'm changing the
> password for. For example, if I'm changing the password for
> uid=147547,ou=8300,ou=DVHead,dc=kewilltransport,dc=com, and that uid has
> a pwdPolicySubentry=ads-pwdId=DVHead8300,ou=passwordPolicies,ads-
> interceptorId=authenticationInterceptor,ou=interceptors,ads-
> directoryServiceId=default,ou=config, it enforces the ads-
> pwdId=DVHead8300 policy's ads-pwdInHistory setting even with the admin
> user.
>
> My understanding is that since it's the admin user, it should not be
> enforcing any password policy rules.
>
> Steps:
> (1) Create a password policy where the ads-pwdInHistory is greater than
> 0 so it enforces not reusing passwords.
> (2) Create a uid and set it's pwdPolicySubentry to the above password
> policy.
> (3) Create a connection and bind to it using the "uid=admin,ou=system"
> user, and then modify password for the above uid. You will get this
> error:
>     error: invalid reuse of password present in password history
>
can you file a bug, I will take a look.

thank you



-- 
Kiran Ayyagari
http://keydap.com

Re: Password Policy Enforced for admin user

Posted by David Paulsen <da...@kewill.com>.

David Paulsen <da...@...> writes:

> 
> Kiran Ayyagari <kayyagari <at> ...> writes:
> 
> > 
> > On Fri, May 29, 2015 at 2:13 AM, David Paulsen <dave.paulsen <at> 
...>
> > wrote:
> > 
> > > I'm running in to a strange issue. I have two separate servers 
> running the
> > > official 2.0.0-M20 release. In one instance I can change the 
> password to
> > > anything I want (including the same password) when I bind to the
> > > connection using the built in admin user (dn=uid=admin,ou=system). 
> In
> > > another instance running the same version of the 2.0.0-M20 
release, 
> that
> > > exact same operation (again bound as admin user) results in the 
> following
> > > error: invalid reuse of password present in password history
> > >
> > you sure that this is happening during bind? this check is performed 
> only
> > while updating the password of a user (excluding admin user)
> > 
> > >
> > > It should never enforce the password policy for the admin user, 
> correct?
> > > Any idea what could be causing it to enforce the policy in one M20
> > > instance and not the other?
> > >
> > 
> > > Thanks!
> > >
> > >
> > 
> 
> Hi Kiran...
> 
> Right. It didn't happen during bind, it happened when I tried to 
update 
> the password to the same value after binding as the 
> dn=uid=admin,ou=system user.
> 
> 
I found a way to recreate this problem. I believe the issue is that when 
bound to a connection using the "uid=admin,ou=system" user, it enforces 
the ads-pwdInHistory in the password policy of the uid I'm changing the 
password for. For example, if I'm changing the password for 
uid=147547,ou=8300,ou=DVHead,dc=kewilltransport,dc=com, and that uid has 
a pwdPolicySubentry=ads-pwdId=DVHead8300,ou=passwordPolicies,ads-
interceptorId=authenticationInterceptor,ou=interceptors,ads-
directoryServiceId=default,ou=config, it enforces the ads-
pwdId=DVHead8300 policy's ads-pwdInHistory setting even with the admin 
user.

My understanding is that since it's the admin user, it should not be 
enforcing any password policy rules.

Steps:
(1) Create a password policy where the ads-pwdInHistory is greater than 
0 so it enforces not reusing passwords.
(2) Create a uid and set it's pwdPolicySubentry to the above password 
policy.
(3) Create a connection and bind to it using the "uid=admin,ou=system" 
user, and then modify password for the above uid. You will get this 
error:
    error: invalid reuse of password present in password history

Re: Password Policy Enforced for admin user

Posted by David Paulsen <da...@kewill.com>.

Kiran Ayyagari <ka...@...> writes:

> 
> On Fri, May 29, 2015 at 2:13 AM, David Paulsen <da...@...>
> wrote:
> 
> > I'm running in to a strange issue. I have two separate servers 
running the
> > official 2.0.0-M20 release. In one instance I can change the 
password to
> > anything I want (including the same password) when I bind to the
> > connection using the built in admin user (dn=uid=admin,ou=system). 
In
> > another instance running the same version of the 2.0.0-M20 release, 
that
> > exact same operation (again bound as admin user) results in the 
following
> > error: invalid reuse of password present in password history
> >
> you sure that this is happening during bind? this check is performed 
only
> while updating the password of a user (excluding admin user)
> 
> >
> > It should never enforce the password policy for the admin user, 
correct?
> > Any idea what could be causing it to enforce the policy in one M20
> > instance and not the other?
> >
> 
> > Thanks!
> >
> >
> 

Hi Kiran...

Right. It didn't happen during bind, it happened when I tried to update 
the password to the same value after binding as the 
dn=uid=admin,ou=system user.

Re: Password Policy Enforced for admin user

Posted by Kiran Ayyagari <ka...@apache.org>.

On Fri, May 29, 2015 at 2:13 AM, David Paulsen <da...@kewill.com>
wrote:

> I'm running in to a strange issue. I have two separate servers running the
> official 2.0.0-M20 release. In one instance I can change the password to
> anything I want (including the same password) when I bind to the
> connection using the built in admin user (dn=uid=admin,ou=system). In
> another instance running the same version of the 2.0.0-M20 release, that
> exact same operation (again bound as admin user) results in the following
> error: invalid reuse of password present in password history
>
you sure that this is happening during bind? this check is performed only
while updating the password of a user (excluding admin user)

>
> It should never enforce the password policy for the admin user, correct?
> Any idea what could be causing it to enforce the policy in one M20
> instance and not the other?
>

> Thanks!
>
>


-- 
Kiran Ayyagari
http://keydap.com