I think that in newer versions of 389 you need a special permission to
adding already hashed passwords or change user password scheme:
Hope that helps you.
On Tue, Aug 29, 2017 at 4:48 PM, Kirk MacDonald <
I am migrating an LDAP system from CentOS-Directory/8.1.0 B2009.134.1334
to 389-Directory/188.8.131.52 B2017.145.2037
We have an external app/too for user password management.
The tool binds as a special user when changing passwords in the "forgot
password" use case, and as the regular user in the "I know my password but
want to change it" use case.
In both use cases the tool has the behavior of generating an SSHA hash
string and then doing an ldapmodify to change the userPassword value to
that string. When we tested the tool against the new instances we got the
error in the subject.
I had already defined the proper ACI for the special user. Digging around
I found if I provided the dn for special user in the passwordAdminDN
attribute value in cn=config the "forgot password" use case worked. However
the application will of course continue to fail when it binds as the
One additional item - the systems we are coming from do have a Password
Policy configured, but I have not explicitly configured one yet on the new
systems, even though the relevant per-user attributes came over in the db
migration. However, the password policy is only for when the passwords need
to be changed/expired, as opposed to syntax/strength.
Is there a way around this without changing our app/tool to send the plain
password over SSL/TLS/STARTTLS?
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org