hi all >>https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.... thank for the tip I will try it >>But you are using subtree policies, these override the global policy. You need set to passwordHistory in your subtree policy: ?? I set at the global (see again my screendump from the 1 thread) , at the "DATA" tree. YES it has been work at least 3 Y >>So if you change the password as directory manager it will let you do whatever you want. So make sure you always change passwords as a "database user" if you expect password policies to be enforced. Not correct, below is a test from another LDAP instance with the same ldap version. This ldap setup passwordhistory work fortunately. let us test again: the password is in the test script and I do it as directory manager (see the tes script at the first thread) [root@centos ldap]# ./test_passwd_history.ksh dn: cn=Tuan Test,cn=unixtek,ou=Infrastructure,dc=centos passwordRetryCount: 0 passwordExpWarned: 0 passwordExpirationTime: 19700101000000Z passwordHistory: 20170227155538Z{crypt}6JpUMxrkKWlAE passwordHistory: 20170227155900Z{crypt}N3fSq/dQumt.M passwordHistory: 20170227155956Z{crypt}d9gk5RmC/p/mM passwordHistory: 20170227160009Z{crypt}VVdJ0STcpFZ5E passwordHistory: 20170227161428Z{crypt}3NiVtBZZRLt2c passwordHistory: 20170228164119Z{crypt}mBGEwcpLcNCgU passwordHistory: 20170301104202Z{crypt}LBI9oRjH/5Igs createtimestamp: 20170127162440Z modifytimestamp: 20170301105634Z retryCountResetTime: 20170207200155Z succesful [root@centos ldap]# ./test_passwd_history.ksh dn: cn=Tuan Test,cn=unixtek,ou=Infrastructure,dc=centos passwordRetryCount: 0 passwordExpWarned: 0 passwordExpirationTime: 19700101000000Z passwordHistory: 20170227155538Z{crypt}6JpUMxrkKWlAE passwordHistory: 20170227155900Z{crypt}N3fSq/dQumt.M passwordHistory: 20170227155956Z{crypt}d9gk5RmC/p/mM passwordHistory: 20170227160009Z{crypt}VVdJ0STcpFZ5E passwordHistory: 20170227161428Z{crypt}3NiVtBZZRLt2c passwordHistory: 20170228164119Z{crypt}mBGEwcpLcNCgU passwordHistory: 20170301104202Z{crypt}LBI9oRjH/5Igs passwordHistory: 20170301145159Z{crypt}8LrUk1IX67Ivg createtimestamp: 20170127162440Z modifytimestamp: 20170301145159Z retryCountResetTime: 20170207200155Z passwordAllowChangeTime: 20170302145159Z Result: Constraint violation (19) Additional info: Failed to update password it failed second time due to passwordAllowChangeTime: . I deleted that entry now [root@centos ldap]# ./test_passwd_history.ksh dn: cn=Tuan Test,cn=unixtek,ou=Infrastructure,dc=centos passwordRetryCount: 0 passwordExpWarned: 0 passwordExpirationTime: 19700101000000Z passwordHistory: 20170227155538Z{crypt}6JpUMxrkKWlAE passwordHistory: 20170227155900Z{crypt}N3fSq/dQumt.M passwordHistory: 20170227155956Z{crypt}d9gk5RmC/p/mM passwordHistory: 20170227160009Z{crypt}VVdJ0STcpFZ5E passwordHistory: 20170227161428Z{crypt}3NiVtBZZRLt2c passwordHistory: 20170228164119Z{crypt}mBGEwcpLcNCgU passwordHistory: 20170301104202Z{crypt}LBI9oRjH/5Igs passwordHistory: 20170301145159Z{crypt}8LrUk1IX67Ivg createtimestamp: 20170127162440Z modifytimestamp: 20170301160930Z retryCountResetTime: 20170207200155Z Result: Constraint violation (19) Additional info: Failed to update password [root@centos ldap]# failed due to passwordhistory, not allow to use the same password again [root@centos ldap]# cat ./test_passwd_history.ksh #!/bin/ksh #Ldap test passwd if it is expired or not - tng 20170226 ldapsearch -xLLL -ZZ -b dc=centos '(&(uid=tnng2))' userPassword passwordRetryCount passwordExpWarned accountUnlockTime passwordExpirationTime passwordHistory createtimestamp modifytimestamp retryCountResetTime passwordAllowChangeTime nsRoleDN ldappasswd -s Ja#%==TNG8 -w SECRET! -x -ZZ -D cn='directory manager' cn='Tuan Test,cn=unixtek,ou=Infrastructure,dc=centos' br Tuan _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
