David Paulsen <dave.paulsen@...> writes:
>
> Kiran Ayyagari <kayyagari <at> ...> writes:
>
> >
> > On Fri, May 29, 2015 at 2:13 AM, David Paulsen <dave.paulsen <at>
...>
> > wrote:
> >
> > > I'm running in to a strange issue. I have two separate servers
> running the
> > > official 2.0.0-M20 release. In one instance I can change the
> password to
> > > anything I want (including the same password) when I bind to the
> > > connection using the built in admin user (dn=uid=admin,ou=system).
> In
> > > another instance running the same version of the 2.0.0-M20
release,
> that
> > > exact same operation (again bound as admin user) results in the
> following
> > > error: invalid reuse of password present in password history
> > >
> > you sure that this is happening during bind? this check is performed
> only
> > while updating the password of a user (excluding admin user)
> >
> > >
> > > It should never enforce the password policy for the admin user,
> correct?
> > > Any idea what could be causing it to enforce the policy in one M20
> > > instance and not the other?
> > >
> >
> > > Thanks!
> > >
> > >
> >
>
> Hi Kiran...
>
> Right. It didn't happen during bind, it happened when I tried to
update
> the password to the same value after binding as the
> dn=uid=admin,ou=system user.
>
>
I found a way to recreate this problem. I believe the issue is that when
bound to a connection using the "uid=admin,ou=system" user, it enforces
the ads-pwdInHistory in the password policy of the uid I'm changing the
password for. For example, if I'm changing the password for
uid=147547,ou=8300,ou=DVHead,dc=kewilltransport,dc=com, and that uid has
a pwdPolicySubentry=ads-pwdId=DVHead8300,ou=passwordPolicies,ads-
interceptorId=authenticationInterceptor,ou=interceptors,ads-
directoryServiceId=default,ou=config, it enforces the ads-
pwdId=DVHead8300 policy's ads-pwdInHistory setting even with the admin
user.
My understanding is that since it's the admin user, it should not be
enforcing any password policy rules.
Steps:
(1) Create a password policy where the ads-pwdInHistory is greater than
0 so it enforces not reusing passwords.
(2) Create a uid and set it's pwdPolicySubentry to the above password
policy.
(3) Create a connection and bind to it using the "uid=admin,ou=system"
user, and then modify password for the above uid. You will get this
error:
error: invalid reuse of password present in password history
