hi all
>https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8....
thank for the tip I will try it
>But you are using subtree policies, these override the global
policy. You need set to passwordHistory in your subtree policy:
??
I set at the global (see again my screendump from the 1 thread) , at the "DATA"
tree. YES it has been work at least 3 Y
>So if you change the password as directory manager it will let you
do whatever you want. So make sure you always change passwords as a
"database
user" if you expect password policies to be enforced.
Not correct, below is a test from another LDAP instance with the same ldap version. This
ldap setup passwordhistory work fortunately.
let us test again: the password is in the test script and I do it as directory manager
(see the tes script at the first thread)
[root@centos ldap]# ./test_passwd_history.ksh
dn: cn=Tuan Test,cn=unixtek,ou=Infrastructure,dc=centos
passwordRetryCount: 0
passwordExpWarned: 0
passwordExpirationTime: 19700101000000Z
passwordHistory: 20170227155538Z{crypt}6JpUMxrkKWlAE
passwordHistory: 20170227155900Z{crypt}N3fSq/dQumt.M
passwordHistory: 20170227155956Z{crypt}d9gk5RmC/p/mM
passwordHistory: 20170227160009Z{crypt}VVdJ0STcpFZ5E
passwordHistory: 20170227161428Z{crypt}3NiVtBZZRLt2c
passwordHistory: 20170228164119Z{crypt}mBGEwcpLcNCgU
passwordHistory: 20170301104202Z{crypt}LBI9oRjH/5Igs
createtimestamp: 20170127162440Z
modifytimestamp: 20170301105634Z
retryCountResetTime: 20170207200155Z
succesful
[root@centos ldap]# ./test_passwd_history.ksh
dn: cn=Tuan Test,cn=unixtek,ou=Infrastructure,dc=centos
passwordRetryCount: 0
passwordExpWarned: 0
passwordExpirationTime: 19700101000000Z
passwordHistory: 20170227155538Z{crypt}6JpUMxrkKWlAE
passwordHistory: 20170227155900Z{crypt}N3fSq/dQumt.M
passwordHistory: 20170227155956Z{crypt}d9gk5RmC/p/mM
passwordHistory: 20170227160009Z{crypt}VVdJ0STcpFZ5E
passwordHistory: 20170227161428Z{crypt}3NiVtBZZRLt2c
passwordHistory: 20170228164119Z{crypt}mBGEwcpLcNCgU
passwordHistory: 20170301104202Z{crypt}LBI9oRjH/5Igs
passwordHistory: 20170301145159Z{crypt}8LrUk1IX67Ivg
createtimestamp: 20170127162440Z
modifytimestamp: 20170301145159Z
retryCountResetTime: 20170207200155Z
passwordAllowChangeTime: 20170302145159Z
Result: Constraint violation (19)
Additional info: Failed to update password
it failed second time due to passwordAllowChangeTime: . I deleted that entry now
[root@centos ldap]# ./test_passwd_history.ksh
dn: cn=Tuan Test,cn=unixtek,ou=Infrastructure,dc=centos
passwordRetryCount: 0
passwordExpWarned: 0
passwordExpirationTime: 19700101000000Z
passwordHistory: 20170227155538Z{crypt}6JpUMxrkKWlAE
passwordHistory: 20170227155900Z{crypt}N3fSq/dQumt.M
passwordHistory: 20170227155956Z{crypt}d9gk5RmC/p/mM
passwordHistory: 20170227160009Z{crypt}VVdJ0STcpFZ5E
passwordHistory: 20170227161428Z{crypt}3NiVtBZZRLt2c
passwordHistory: 20170228164119Z{crypt}mBGEwcpLcNCgU
passwordHistory: 20170301104202Z{crypt}LBI9oRjH/5Igs
passwordHistory: 20170301145159Z{crypt}8LrUk1IX67Ivg
createtimestamp: 20170127162440Z
modifytimestamp: 20170301160930Z
retryCountResetTime: 20170207200155Z
Result: Constraint violation (19)
Additional info: Failed to update password
[root@centos ldap]#
failed due to passwordhistory, not allow to use the same password again
[root@centos ldap]# cat ./test_passwd_history.ksh
#!/bin/ksh
#Ldap test passwd if it is expired or not - tng 20170226
ldapsearch -xLLL -ZZ -b dc=centos '(&(uid=tnng2))' userPassword
passwordRetryCount passwordExpWarned accountUnlockTime passwordExpirationTime
passwordHistory createtimestamp modifytimestamp retryCountResetTime
passwordAllowChangeTime nsRoleDN
ldappasswd -s Ja#%==TNG8 -w SECRET! -x -ZZ -D cn='directory manager' cn='Tuan
Test,cn=unixtek,ou=Infrastructure,dc=centos'
br Tuan