On 6/3/19 1:16 PM, Eric Freeman wrote:
Between 389 LDAP versions 126.96.36.199-33 and 188.8.131.52-97, we're finding
that the Directory Manager account can bypass configured password
policies and set user passwords to anything. I believe this is now by
design, but is there a configuration file flag to revert to the
previous behavior where Directory Manager needed to conform to the
Sorry there is not.
If not, how do we create a user account in 389 ldap server with rights
to check and update user password hashes, and still enforce configured
You create a new user, and you add an ACI to the suffix to allow this
user to update passwords.
Create a user, something like this
dn: uid=password update user,ou=people,dc=example,dc=com
Add "aci" to the suffix to allow this user rights to update userpassword
ldapmodify -D "cn=directory manager" -W
aci: (targetattr = "userPassword") (version 3.0; acl "Allow user to
update passwords"; allow (write) (userdn = "ldap:///uid=password update
That should do it.
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines