On 9/28/21 5:53 PM, Morgan Jones wrote:
May I have a sanity check here? I am attempting to add pre-hashed passwords to users. If I’ve read the documentation correctly this should work. I’ve also tried putting uid=selectivesync389,ou=svc_accts,dc=domain,dc=org directly in passwordAdminDN:
morgan@woodrow-2 ~ % ldapsearch -H ldaps://tstds21.domain.org -x -w pass -D cn=directory\ manager -LLLb cn=config -s base objectclass=\* passwordAdminDN
dn: cn=config
passwordAdminDN: cn=Passwd Admins,ou=groups,dc=domain,dc=org
morgan@woodrow-2 ~ %
morgan@woodrow-2 ~ % ldapsearch -H ldaps://tstds21.domain.org -x -w pass -D cn=directory\ manager -LLLb dc=domain,dc=org cn=passwd\ admins
dn: cn=Passwd Admins,ou=groups,dc=domain,dc=org
description: password admins
objectClass: top
objectClass: groupofuniquenames
cn: Passwd Admins
uniqueMember: uid=selectivesync389,ou=svc_accts,dc=domain,dc=org
morgan@woodrow-2 ~ %
morgan@woodrow-2 ~ % ldapmodify -a -w pass -D uid=selectivesync389,ou=svc_accts,dc=domain,dc=org -H ldaps://tstds21.domain.org
dn: uid=zimbratest06,ou=employees,dc=domain,dc=org
changetype: modify
replace: userpassword
userpassword: {SHA}hrJ6x38+yn2LiTm1qqkGjNXAh8I=
modifying entry "uid=zimbratest06,ou=employees,dc=domain,dc=org"
ldap_modify: Constraint violation (19)
additional info: invalid password syntax - passwords with storage scheme are not allowed
morgan@woodrow-2 ~ %
We’re running 1.3.10 on CentOS 7.9:
[root@tstds21 morgan]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@tstds21 morgan]# rpm -qa|grep 389
389-adminutil-1.1.22-2.el7.x86_64
389-ds-base-1.3.10.2-10.el7_9.x86_64
389-ds-console-doc-1.2.16-1.el7.noarch
389-ds-base-libs-1.3.10.2-10.el7_9.x86_64
389-console-1.1.19-6.el7.noarch
389-ds-console-1.2.16-1.el7.noarch
389-dsgw-1.1.11-5.el7.x86_64
389-admin-console-1.1.12-1.el7.noarch
389-ds-1.2.2-6.el7.noarch
389-admin-console-doc-1.1.12-1.el7.noarch
389-admin-1.1.46-4.el7.x86_64
[root@tstds21 morgan]#
Am I missing something?? thank you!
You are not, you set it up correctly. One thing you did not list was
that you are supposed to add an aci that allows that group to update the
userpassword attribute, but that would not explain the constraint
violation. It could be a bug.
One quick question, are you also using a subtree/local password policy
that might be conflicting with the global password policy? Local
policies override the global policy.
Mark
-morgan
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
