Hello I am migrating an LDAP system from CentOS-Directory/8.1.0 B2009.134.1334 to 389-Directory/1.3.5.10 B2017.145.2037 We have an external app/too for user password management. The tool binds as a special user when changing passwords in the "forgot password" use case, and as the regular user in the "I know my password but want to change it" use case. In both use cases the tool has the behavior of generating an SSHA hash string and then doing an ldapmodify to change the userPassword value to that string. When we tested the tool against the new instances we got the error in the subject. I had already defined the proper ACI for the special user. Digging around I found if I provided the dn for special user in the passwordAdminDN attribute value in cn=config the "forgot password" use case worked. However the application will of course continue to fail when it binds as the regular users. One additional item - the systems we are coming from do have a Password Policy configured, but I have not explicitly configured one yet on the new systems, even though the relevant per-user attributes came over in the db migration. However, the password policy is only for when the passwords need to be changed/expired, as opposed to syntax/strength. Is there a way around this without changing our app/tool to send the plain password over SSL/TLS/STARTTLS? Thanks Kirk MacDonald Eastlink _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
