Probably the culprit is specifically pam_cracklib, which among other things checks if password are too similar.
http://www.linux-pam.org/Linux-PAM-html/sag-pam_cracklib.html Looks like you can use the difok=N option to specify how many characters need to differ from old one for it not to be "too similar". You could set this to 1 or 2 to allow incremental changes at the end, or 0 probably to disable entirely. On Thu, May 29, 2014 at 7:10 AM, John Trump <[email protected]> wrote: > Agree about password security. What I provided was just an example of a > password. Unfortunately forcing the use of a non similar is beyond my > control. I guess one bright spot is the password being used meets all other > complexity requirements, I just needed to allow subsequent passwords to be > similar. > On May 29, 2014 6:08 AM, "Vincent Gerris" <[email protected]> wrote: > >> Well I just like to note that you SHOULD NOT want to use a password like >> that. >> It's completely insecure and thus a very BAD idea from a security >> perspective. >> As far as I know, you can override a directory wide password policy per >> account, so if the restrictions come from there, just change them there, >> there is a setting that defines how different a next password should be. >> If it come from a module in between with similar rules and if you really >> want to do this, you should also modify it there. >> If the module correctly handles LDAP responses regarding password >> policies, then you should be able to disable the checks there. >> >> >> >> On Wed, May 28, 2014 at 11:06 PM, John Trump <[email protected]> wrote: >> >>> The issue was being caused by the pam module on the linux systems. Not >>> sure why I have to modify pam module to allow similar paswords when >>> changing ldap passwords. >>> >>> >>> On Wed, May 28, 2014 at 4:24 PM, Mark Reynolds <[email protected]> >>> wrote: >>> >>>> >>>> On 05/28/2014 04:21 PM, John Trump wrote: >>>> >>>> Not using any other client app. User logged on to a linux system and >>>> trying to change password. If they choose a password to similar to the old >>>> one it will not allow it. >>>> >>>> How are you changing the password, are you using ldapmodify? Can you >>>> post access log(/var/log/dirsrv/slapd-INSTANCE/access) output showing the >>>> failed password attempt? >>>> >>>> >>>> >>>> On Wed, May 28, 2014 at 4:14 PM, Mark Reynolds <[email protected]> >>>> wrote: >>>> >>>>> >>>>> On 05/28/2014 04:06 PM, John Trump wrote: >>>>> >>>>> Haven't been able to come up with a solution yet. Hopefully someone on >>>>> the list has a suggestion. >>>>> >>>>> >>>>> On Fri, May 23, 2014 at 12:42 PM, John Trump <[email protected]> >>>>> wrote: >>>>> >>>>>> I would like to relax the password policy for specific users to allow >>>>>> them to modify passwords but use similar password to their old one. These >>>>>> are "group" accounts and would like to allow password to be set to: >>>>>> password01 then allow password to be changed to password02. Currently >>>>>> this >>>>>> is not allowed. I understand security risk etc in allowing this. I do >>>>>> want >>>>>> to keep other password complexity and history settings. >>>>>> >>>>>> Suggestions? >>>>>> >>>>> I'm not aware of a setting in 389 that prohibits you from using >>>>> secret01, then secret02, and then secret03, etc. These should all be >>>>> allowed. Are you using some other client app(freeIPA?) to make these >>>>> password updates? >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> 389 users mailing >>>>> [email protected]https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>> >>>>> >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> [email protected] >>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>> >>>> >>>> >>>> >>>> -- >>>> 389 users mailing >>>> [email protected]https://admin.fedoraproject.org/mailman/listinfo/389-users >>>> >>>> >>>> >>>> -- >>>> 389 users mailing list >>>> [email protected] >>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>> >>> >>> >>> -- >>> 389 users mailing list >>> [email protected] >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> >> >> >> -- >> 389 users mailing list >> [email protected] >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> > > -- > 389 users mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/389-users >
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
