Hello,
I try to use the global password policy in order to forbid the change of user password.
I put the field "User may change password" unchecked with console.
But normal users can change their own password with /usr/lib/mozldap/ldappasswd command : # /usr/lib/mozldap/ldappasswd -P /etc/dirsrv/slapd-fds1/ -m /etc/dirsrv/slapd-fds1/ -D "uid=user1,ou=People,dc=example,dc=com" -w - -S New Password: Re-enter new Password: Enter bind password: ldappasswd: password successfully changed
a command-line verification into cn=config entree of DIT show the passwordChange attribut value as "Off" : # /usr/lib/mozldap/ldapsearch -s base -b "cn=config" -D "cn=Directory Manager" -w - "(cn=config)" passwordChange Enter bind password: version: 1 dn: cn=config passwordChange: off
I have created local password policy for my "ou=People" subtree and for my user "User1", but user can change their own password !!!!!! If i restart the dirsrv service on system, this item of policy is used.
CONCLUSION = All change of the field "User may change password" on Password Policy require a restart of the LDAP daemon !
Hugo Etievant wrote:
Hello,
I try to use the global password policy in order to forbid the change of user password.
I put the field "User may change password" unchecked with console.
But normal users can change their own password with /usr/lib/mozldap/ldappasswd command : # /usr/lib/mozldap/ldappasswd -P /etc/dirsrv/slapd-fds1/ -m /etc/dirsrv/slapd-fds1/ -D "uid=user1,ou=People,dc=example,dc=com" -w
- -S
New Password: Re-enter new Password: Enter bind password: ldappasswd: password successfully changed
What if you use ldapmodify to modify the userPassword attribute directly - same result?
a command-line verification into cn=config entree of DIT show the passwordChange attribut value as "Off" : # /usr/lib/mozldap/ldapsearch -s base -b "cn=config" -D "cn=Directory Manager" -w - "(cn=config)" passwordChange Enter bind password: version: 1 dn: cn=config passwordChange: off
I have created local password policy for my "ou=People" subtree and for my user "User1", but user can change their own password !!!!!! If i restart the dirsrv service on system, this item of policy is used.
CONCLUSION = All change of the field "User may change password" on Password Policy require a restart of the LDAP daemon !
hello,
If i use ldapmodify command, some change of password policy's "User may change password" attribute is used immedialety without ldap deamon restart, but if y use ldappassword, i have to restart ldap deamon !!!
why this difference ?
Rich Megginson a écrit :
Hugo Etievant wrote:
Hello,
I try to use the global password policy in order to forbid the change of user password.
I put the field "User may change password" unchecked with console.
But normal users can change their own password with /usr/lib/mozldap/ldappasswd command : # /usr/lib/mozldap/ldappasswd -P /etc/dirsrv/slapd-fds1/ -m /etc/dirsrv/slapd-fds1/ -D "uid=user1,ou=People,dc=example,dc=com" -w
- -S
ldappasswd: password successfully changed
What if you use ldapmodify to modify the userPassword attribute directly - same result?
CONCLUSION = All change of the field "User may change password" on Password Policy require a restart of the LDAP daemon !
Hugo Etievant wrote:
hello,
If i use ldapmodify command, some change of password policy's "User may change password" attribute is used immedialety without ldap deamon restart, but if y use ldappassword, i have to restart ldap deamon !!!
why this difference ?
Let me see if I understand. After changing the password policy to "User may change password": If you use ldapmodify to change the userPassword attribute, the policy is in effect immediately without a server restart If you use ldappasswd to change the user's password, the policy is not in effect until after a server restart
Is this correct? If so, sounds like a bug - in either case, the change should take effect immediately.
Rich Megginson a écrit :
Hugo Etievant wrote:
Hello,
I try to use the global password policy in order to forbid the change of user password.
I put the field "User may change password" unchecked with console.
But normal users can change their own password with /usr/lib/mozldap/ldappasswd command : # /usr/lib/mozldap/ldappasswd -P /etc/dirsrv/slapd-fds1/ -m /etc/dirsrv/slapd-fds1/ -D "uid=user1,ou=People,dc=example,dc=com" -w - -S ldappasswd: password successfully changed
What if you use ldapmodify to modify the userPassword attribute directly - same result?
CONCLUSION = All change of the field "User may change password" on Password Policy require a restart of the LDAP daemon !
Rich Megginson a écrit :
Hugo Etievant wrote:
hello,
If i use ldapmodify command, some change of password policy's "User may change password" attribute is used immedialety without ldap deamon restart, but if y use ldappassword, i have to restart ldap deamon !!!
why this difference ?
Let me see if I understand. After changing the password policy to "User may change password": If you use ldapmodify to change the userPassword attribute, the policy is in effect immediately without a server restart If you use ldappasswd to change the user's password, the policy is not in effect until after a server restart
Is this correct?
Yes, it is ! Exactly.
If so, sounds like a bug - in either case, the change should take effect immediately.
I think, too !
389-users@lists.fedoraproject.org