How could I bypass password history for a certain user in Red Hat Directory Server ?
Environment
Red hat Directory Server 8.x
Red hat Directory Server 9.x
Issue
Need to bypass password history control of password policy.
Resolution
Root directory user, as mentioned, cannot bypass password policy. Password syntax and also password history control are always verified despite bind DN. But root directory user could eventually clean password history to let the mentioned action take place.
ldapmodify -ZZZ -D "cn=directory manager" -w <password> -h localhost
dn: uid=test01,ou=People,dc=**,dc=**,dc=**
changetype: modify
delete: passwordHistory
Root Cause
A user needs to exceptionally replace his password by a value already present in password history.
Diagnostic Steps
Example of a user trying to replace his password by a value already present in password history:
ldappasswd -h localhost -ZZZ -x -D "uid=test01,ou=People,dc=example,dc=com" -S -w ******** uid=test01,ou=People,dc=example,dc=com
Result: Constraint violation (19)
Additional info: Failed to update password
Even if we try to do this with root directory server user we have the same error, since root user cannot by pass password policy:
ldappasswd -h localhost -ZZZ -x -D "cn=Directory Manager" -S -w ******** uid=test01,ou=People,dc=**,dc=**,dc=**
Result: Constraint violation (19)
Additional info: Failed to update password
We could use ldapmodify command with same result:
ldapmodify -h localhost -D "cn=directory manager" -w *******
dn: cn=user1050,o=redhat
changetype: modify
replace: userpassword
userpassword: <new password>
modifying entry "cn=user1050,o=redhat"
ldap_modify: Constraint violation (19)
additional info: password in history
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments