4:50 a.m.
Hi,
I am trying to make horde's module passwd let users change their passwords.
In the configuration file of the moduke there are two options for ldap :
- ldap : this option uses the users credentials to modify the password (the
user change his password with his credentials).
- ldapadmin : this option uses the admin, such as the Directory Manager to
modify the user's password.
the first one, didn't work for me, I get in the horde log : could not
replace userPassword attribute, LDAP server : constraint violation.
the second one worked.
In the error log of 389DS, I didn't find any useful error message.
PS : tls is enabled.
any idea?
Regards.
5:19 a.m.
On 04/12/2016 11:50 AM, wodel youchi wrote:
Hi,
I am trying to make horde's module passwd let users change their
passwords.
In the configuration file of the moduke there are two options for ldap :
- ldap : this option uses the users credentials to modify the password
(the user change his password with his credentials).
- ldapadmin : this option uses the admin, such as the Directory
Manager to modify the user's password.
the first one, didn't work for me, I get in the horde log : could not
replace userPassword attribute, LDAP server : constraint violation.
the second one worked.
In the error log of 389DS, I didn't find any useful error message.
PS : tls is enabled.
any idea?
changing th pw as user, you probably violate the password policy
Regards.
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
5:35 a.m.
Hi, and thanks
But as I understand, there is and AC created for
ou=people,dc=example,dc=com called "Allow self entry modification" and
userPassword attribute is selected for write.
is there another AC that supersedes this one?
Regards.
2016-04-12 11:19 GMT+01:00 Ludwig Krispenz <lkrispen(a)redhat.com>:
On 04/12/2016 11:50 AM, wodel youchi wrote:
Hi,
I am trying to make horde's module passwd let users change their passwords.
In the configuration file of the moduke there are two options for ldap :
- ldap : this option uses the users credentials to modify the password
(the user change his password with his credentials).
- ldapadmin : this option uses the admin, such as the Directory Manager to
modify the user's password.
the first one, didn't work for me, I get in the horde log : could not
replace userPassword attribute, LDAP server : constraint violation.
the second one worked.
In the error log of 389DS, I didn't find any useful error message.
PS : tls is enabled.
any idea?
changing th pw as user, you probably violate the password policy
Regards.
--
389 users mailing list
389-users@%(host_name)shttp://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael
O'Neill
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
6:39 a.m.
Hi,
I was not talking about access control, but about password policy -
quality of passwords, reuse, expiration, when it can be changed ...
Please read:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10...
On 04/12/2016 12:35 PM, wodel youchi wrote:
Hi, and thanks
But as I understand, there is and AC created for
ou=people,dc=example,dc=com called "Allow self entry modification" and
userPassword attribute is selected for write.
is there another AC that supersedes this one?
Regards.
2016-04-12 11:19 GMT+01:00 Ludwig Krispenz <lkrispen(a)redhat.com
<mailto:lkrispen@redhat.com>>:
On 04/12/2016 11:50 AM, wodel youchi wrote:
> Hi,
>
> I am trying to make horde's module passwd let users change their
> passwords.
>
> In the configuration file of the moduke there are two options for
> ldap :
>
> - ldap : this option uses the users credentials to modify the
> password (the user change his password with his credentials).
>
> - ldapadmin : this option uses the admin, such as the Directory
> Manager to modify the user's password.
>
> the first one, didn't work for me, I get in the horde log : could
> not replace userPassword attribute, LDAP server : constraint
> violation.
>
> the second one worked.
>
> In the error log of 389DS, I didn't find any useful error message.
>
> PS : tls is enabled.
>
>
> any idea?
changing th pw as user, you probably violate the password policy
>
>
> Regards.
>
>
> --
> 389 users mailing list
> 389-users@%(host_name)s
> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael
O'Neill
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
7:52 a.m.
Hi, and thanks again.
I took a look on the 389DS's console, in configuration -> Data ->
Passwords, and there is no special configuration
Enable fine-grained password policy is : Disabled
in User password change :
User may change password is : Enbaled
Allow changes in = 0 days
keep password history is : Disabled
Password never expire : Enabled
Password syntax : Disabled
Password Encryption is SSHA.
Another thing : I tried to use ldappasswd command (from the mail server)
with the user credentials, and it worked even with simple passwords:
ldappasswd -H ldap://idm01.example.com -x -D
"uid=nagios,ou=people,dc=example,dc=com" -w nagios2016 -a nagios2016 -s
azertyu7 -v -Z
ldap_initialize( ldap://idm01.example.com:389/??base )
Result: Success (0)
Regards.
2016-04-12 12:39 GMT+01:00 Ludwig Krispenz <lkrispen(a)redhat.com>:
Hi,
I was not talking about access control, but about password policy -
quality of passwords, reuse, expiration, when it can be changed ...
Please read:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10...
On 04/12/2016 12:35 PM, wodel youchi wrote:
Hi, and thanks
But as I understand, there is and AC created for
ou=people,dc=example,dc=com called "Allow self entry modification" and
userPassword attribute is selected for write.
is there another AC that supersedes this one?
Regards.
2016-04-12 11:19 GMT+01:00 Ludwig Krispenz <lkrispen(a)redhat.com>:
>
> On 04/12/2016 11:50 AM, wodel youchi wrote:
>
> Hi,
>
> I am trying to make horde's module passwd let users change their
> passwords.
>
> In the configuration file of the moduke there are two options for ldap :
>
> - ldap : this option uses the users credentials to modify the password
> (the user change his password with his credentials).
>
> - ldapadmin : this option uses the admin, such as the Directory Manager
> to modify the user's password.
>
> the first one, didn't work for me, I get in the horde log : could not
> replace userPassword attribute, LDAP server : constraint violation.
>
> the second one worked.
>
> In the error log of 389DS, I didn't find any useful error message.
>
> PS : tls is enabled.
>
>
> any idea?
>
> changing th pw as user, you probably violate the password policy
>
>
>
> Regards.
>
>
> --
> 389 users mailing list
>
389-users@%(host_name)shttp://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>
>
> --
> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael
O'Neill
>
>
> --
> 389 users mailing list
> 389-users@%(host_name)s
>
> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>
--
389 users mailing list
389-users@%(host_name)shttp://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael
O'Neill
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
11:22 a.m.
On 04/12/2016 02:50 AM, wodel youchi wrote:
the first one, didn't work for me, I get in the horde log : could
not
replace userPassword attribute, LDAP server : constraint violation.
I don't work with Horde, but you might be seeing something like this:
http://serverfault.com/questions/459906/centos-directory-server-changing-...
"constraint violation" sounds like Horde is not using the password
change extended operation.
https://github.com/horde/horde/blob/master/passwd/lib/Driver/Ldap.php
Yeah, it isn't. You should either fix lines 169-171, or give users a
different tool for managing their password.
2929
days inactive
2929
days old
389-users@lists.fedoraproject.org
5 comments
3 participants
participants (3)
-
Gordon Messmer -
Ludwig Krispenz -
wodel youchi