On 03/01/2017 04:30 PM, Mark Reynolds wrote: > > On 03/01/2017 04:25 PM, tuan88@xxxxxxxxx wrote: >> hi >> >> Here you are. >> with those 2 pasword below I can use them to "passwd" again & Again as user "tnng" > Can you paste some access log output showing these password updates? > passwd could still be using Directory Manager to set the passwords. >> !Ca4nn12 !H0yda23 >> >> [tnng@centos6 ~]$ passwd >> Changing password for user tnng. >> Current Password: >> New password: >> Retype new password: >> passwd: all authentication tokens updated successfully. >> [tnng@centos6 ~]$ passwd >> Changing password for user tnng. >> Current Password: >> New password: >> Retype new password: >> passwd: all authentication tokens updated successfully. >> [tnng@centos6 ~]$ passwd >> Changing password for user tnng. >> Current Password: >> New password: >> Retype new password: >> passwd: all authentication tokens updated successfully. >> [tnng@centos6 ~]$ passwd >> Changing password for user tnng. >> Current Password: >> New password: >> Retype new password: >> passwd: all authentication tokens updated successfully. >> [tnng@centos6 ~]$ >> >> [root@centos6 scripts]# ldapsearch -xLLL -ZZ -b dc=centos '(&(uid=tnng))' passwordRetryCount passwordExpWarned accountUnlockTime passwordExpirationTime passwordHistory createtimestamp modifytimestamp retryCountResetTime passwordAllowChangeTime nsRoleDN I also don't see passwordhistory in your user entries - another sign that you are using directory manger to update the password, or you have not set the passwordHistory in your password policy. Like I said before you are using two passwords policies (local and global). The subtree policy(local policy) overrides the global policy. So if you don't add passwordHistory to your local subtree password policy, which appears to span all your users, then it's also not going to work. I suggest you pick one or the other, but not both. Is there a reason you are using two policies? >> dn: cn=Tuan Nguyen,cn=unixtek,ou=Infrastructure,dc=centos >> passwordExpWarned: 0 >> passwordExpirationTime: 20170302203205Z >> createtimestamp: 20170114110541Z >> modifytimestamp: 20170301203205Z >> >> # entry-id: 60 >> dn: cn=Tuan Nguyen,cn=unixtek,ou=Infrastructure,dc=centos >> passwordExpWarned: 0 >> passwordExpirationTime: 20170302204127Z >> passwordGraceUserTime: 0 >> modifyTimestamp: 20170301204127Z >> modifiersName: cn=server,cn=plugins,cn=config >> userPassword:: e1NTSEF9RVFlNlgva2o4cCsvdVNRZis3NDROQnJzdEx6a1EzWGN6clNTWlE9PQ= >> = >> loginShell: /bin/bash >> uidNumber: 1234 >> gidNumber: 804 >> uid: tnng >> objectClass: top >> objectClass: posixaccount >> cn: Tuan Nguyen >> homeDirectory: /home/tnng >> creatorsName: cn=directory manager >> createTimestamp: 20170301203823Z >> nsUniqueId: ffc94351-febe11e6-9d7ddec4-bc02e5f0 >> >> # entry-id: 61 >> >> enable log: >> 128 Access control list processing >> 2048 Log entry parsing. Logs schema parsing debugging information. >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/error-logs.html >> >> stop dirsrv >> nsslapd-errorlog-level: 2176 (128+2048) (dse.ldif) >> start dirsrv >> >> the log "errors" is attached OR at www.chezmoi.dk/div/errors >> >> [root@centos6 slapd-centos]# cat /etc/sssd/sssd.conf >> [sssd] >> config_file_version = 2 >> services = nss, pam >> domains = default >> debug_level = 5 >> debug_to_files = true >> >> [nss] >> enum_cache_timeout = 30 >> filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd >> >> [domain/default] >> auth_provider = ldap >> ldap_tls_cacertdir = /etc/openldap/cacerts >> #ldap_id_use_start_tls = True >> chpass_provider = ldap >> ldap_search_base = dc=CENTOS >> id_provider = ldap >> enumerate = True >> #cache_credentials = True >> offline_credentials_expiration = 3 >> ldap_uri = ldap://centos6.site,ldap://centos62.site >> _______________________________________________ >> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
