Well I just like to note that you SHOULD NOT want to use a password like
that.
It's completely insecure and thus a very BAD idea from a security
perspective.
As far as I know, you can override a directory wide password policy per
account, so if the restrictions come from there, just change them there,
there is a setting that defines how different a next password should be.
If it come from a module in between with similar rules and if you really
want to do this, you should also modify it there.
If the module correctly handles LDAP responses regarding password policies,
then you should be able to disable the checks there.
On Wed, May 28, 2014 at 11:06 PM, John Trump <trumpjk(a)gmail.com> wrote:
The issue was being caused by the pam module on the linux systems.
Not
sure why I have to modify pam module to allow similar paswords when
changing ldap passwords.
On Wed, May 28, 2014 at 4:24 PM, Mark Reynolds <mareynol(a)redhat.com>wrote:
>
> On 05/28/2014 04:21 PM, John Trump wrote:
>
> Not using any other client app. User logged on to a linux system and
> trying to change password. If they choose a password to similar to the old
> one it will not allow it.
>
> How are you changing the password, are you using ldapmodify? Can you
> post access log(/var/log/dirsrv/slapd-INSTANCE/access) output showing the
> failed password attempt?
>
>
>
> On Wed, May 28, 2014 at 4:14 PM, Mark Reynolds <mareynol(a)redhat.com>wrote:
>
>>
>> On 05/28/2014 04:06 PM, John Trump wrote:
>>
>> Haven't been able to come up with a solution yet. Hopefully someone on
>> the list has a suggestion.
>>
>>
>> On Fri, May 23, 2014 at 12:42 PM, John Trump <trumpjk(a)gmail.com> wrote:
>>
>>> I would like to relax the password policy for specific users to allow
>>> them to modify passwords but use similar password to their old one. These
>>> are "group" accounts and would like to allow password to be set
to:
>>> password01 then allow password to be changed to password02. Currently this
>>> is not allowed. I understand security risk etc in allowing this. I do want
>>> to keep other password complexity and history settings.
>>>
>>> Suggestions?
>>>
>> I'm not aware of a setting in 389 that prohibits you from using
>> secret01, then secret02, and then secret03, etc. These should all be
>> allowed. Are you using some other client app(freeIPA?) to make these
>> password updates?
>>
>>
>>
>>
>> --
>> 389 users mailing
list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
>
> --
> 389 users mailing
list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users