You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Kiran Ayyagari <ka...@apache.org> on 2015/06/01 14:47:31 UTC
Re: Password Policy Enforced for admin user
David,
On Sat, May 30, 2015 at 3:12 AM, David Paulsen <da...@kewill.com>
wrote:
> David Paulsen <da...@...> writes:
>
> >
> > Kiran Ayyagari <kayyagari <at> ...> writes:
> >
> > >
> > > On Fri, May 29, 2015 at 2:13 AM, David Paulsen <dave.paulsen <at>
> ...>
> > > wrote:
> > >
> > > > I'm running in to a strange issue. I have two separate servers
> > running the
> > > > official 2.0.0-M20 release. In one instance I can change the
> > password to
> > > > anything I want (including the same password) when I bind to the
> > > > connection using the built in admin user (dn=uid=admin,ou=system).
> > In
> > > > another instance running the same version of the 2.0.0-M20
> release,
> > that
> > > > exact same operation (again bound as admin user) results in the
> > following
> > > > error: invalid reuse of password present in password history
> > > >
> > > you sure that this is happening during bind? this check is performed
> > only
> > > while updating the password of a user (excluding admin user)
> > >
> > > >
> > > > It should never enforce the password policy for the admin user,
> > correct?
> > > > Any idea what could be causing it to enforce the policy in one M20
> > > > instance and not the other?
> > > >
> > >
> > > > Thanks!
> > > >
> > > >
> > >
> >
> > Hi Kiran...
> >
> > Right. It didn't happen during bind, it happened when I tried to
> update
> > the password to the same value after binding as the
> > dn=uid=admin,ou=system user.
> >
> >
> I found a way to recreate this problem. I believe the issue is that when
> bound to a connection using the "uid=admin,ou=system" user, it enforces
> the ads-pwdInHistory in the password policy of the uid I'm changing the
> password for. For example, if I'm changing the password for
> uid=147547,ou=8300,ou=DVHead,dc=kewilltransport,dc=com, and that uid has
> a pwdPolicySubentry=ads-pwdId=DVHead8300,ou=passwordPolicies,ads-
> interceptorId=authenticationInterceptor,ou=interceptors,ads-
> directoryServiceId=default,ou=config, it enforces the ads-
> pwdId=DVHead8300 policy's ads-pwdInHistory setting even with the admin
> user.
>
> My understanding is that since it's the admin user, it should not be
> enforcing any password policy rules.
>
> Steps:
> (1) Create a password policy where the ads-pwdInHistory is greater than
> 0 so it enforces not reusing passwords.
> (2) Create a uid and set it's pwdPolicySubentry to the above password
> policy.
> (3) Create a connection and bind to it using the "uid=admin,ou=system"
> user, and then modify password for the above uid. You will get this
> error:
> error: invalid reuse of password present in password history
>
can you file a bug, I will take a look.
thank you
--
Kiran Ayyagari
http://keydap.com
Re: Password Policy Enforced for admin user
Posted by Kiran Ayyagari <ka...@apache.org>.
On Tue, Jun 9, 2015 at 9:40 PM, David Paulsen <da...@kewill.com>
wrote:
>
> > Bug created:
> > https://issues.apache.org/jira/browse/DIRSERVER-2067
> >
> >
> Will this bug be fixed in the next release?
>
yes, certainly
--
Kiran Ayyagari
http://keydap.com
Re: Password Policy Enforced for admin user
Posted by David Paulsen <da...@kewill.com>.
> Bug created:
> https://issues.apache.org/jira/browse/DIRSERVER-2067
>
>
Will this bug be fixed in the next release?
Re: Password Policy Enforced for admin user
Posted by David Paulsen <da...@kewill.com>.
> can you file a bug, I will take a look.
>
> thank you
>
Bug created:
https://issues.apache.org/jira/browse/DIRSERVER-2067