Hi Grant, I think that you can disable the password history feature by using: dsconf instance_name pwpolicy set --pwdhistory off
Similarly, to change the history size, you can try: dsconf instance_name pwpolicy set --pwdhistorycount 0 Regards, Pierre On Wed, Jul 24, 2024 at 2:23 PM Grant Byers <[email protected]> wrote: > Hi, > > We've recently migrated our multi-supplier, multi-consumer 389 infra > from 2.0.x to 2.2.9. The migration was relatively painless, but our logs > are currently flooded with messages like the following; > > [24/Jul/2024:11:10:10.499567264 +0000] - ERR - acct_update_login_history > - Modify error 20 on entry 'uid=xxxxx,ou=people,dc=example,dc=net' > [24/Jul/2024:11:10:10.696468976 +0000] - ERR - attrlist_replace - > attr_replace (lastLoginHistory, 20240724111004Z) failed. > > There's a bug report for this that matches ours[1], and the issue > appears to have been addressed. It doesn't appear to have been addressed > in 2.2.9 however, which is the latest version available in the copr > repo[2] that effectively replaced epel8-modular. > > We have the AccountPolicy plugin enabled only to record lastLoginTime (a > requirement from our security team), so we can't just disable it. We > also use password policy, so we chain binds from consumers to suppliers. > > I've seen mention that the lastLoginHistory attribute can be disabled by > setting lastLoginHistorySize to 0. I can't find any documentation on > this anywhere though. I've tried setting it in the AccountPolicyPlugin > config & also directly in cn=config, unsuccessfully. > > What are our options? > > Thanks, > Grant > > [1] https://github.com/389ds/389-ds-base/issues/5834 > [2] https://copr.fedorainfracloud.org/coprs/g/389ds/389-directory-server/ > > > -- > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- -- 389 Directory Server Development Team
-- _______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
