<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> On 09/18/2009 08:10 AM, Kenneth Holter wrote: <blockquote cite="mid:c25f25140909180810t4c4cd480ucd9a9759d0c73c98@mail.gmail.com" type="cite"> <div> </div> <div>Hi all.</div> <div> </div> <div>I'm running Red Hat Directory Server 8.1.0, and are having some problems with password syntax checking. When I don't enable the syntax checking, everything works fine. But when I enable it it seems to discard even pretty strong passwords. In the example belov I've configured password syntax checking like this:</div> <ul> <li>Password minimum length: 8</li> <li>Minimum required character categories: 1</li> <li>Minimum token length: 3 (btw, don't know why I need to set this)</li> </ul> </blockquote> This is the token length to use for a "trivial words" check. This prevents someone from using portions of their cn, uid, etc. values in their password. The values are broken into tokens of this length and the password is then checked to see if any of the tokens exist.<br> <blockquote cite="mid:c25f25140909180810t4c4cd480ucd9a9759d0c73c98@mail.gmail.com" type="cite"> <div><font face="Arial" size="2">The new password I try to change to has two digits, four lower case letters, one uppercase letter, and one special character. So it should be far more complicated that the above settings call for. This is the output:</font></div> <div> </div> <div><font size="2">#### Output start </font></div> <div><font face="Arial" size="2">[root@server ~]# ssh kenneth@localhost</font> <br> <font face="Arial" size="2">kenneth@localhost's password:</font> <br> <font face="Arial" size="2">You are required to change your LDAP password immediately.</font> <br> <font face="Arial" size="2">Last login: Fri Sep 18 16:37:26 2009 from localhost.localdomain</font> </div> <p><font face="Arial" size="2">Welcome to the server!</font> </p> <p><font face="Arial" size="2">WARNING: Your password has expired.</font> <br> <font face="Arial" size="2">You must change your password now and login again!</font> <br> <font face="Arial" size="2">Changing password for user kenneth.</font> <br> <font face="Arial" size="2">Enter login(LDAP) password:</font> <br> <font face="Arial" size="2">New UNIX password:</font> <br> <font face="Arial" size="2">Retype new UNIX password:</font> <br> <span></span><span class="q"><font face="Arial" size="2">LDAP password information update failed: Constraint violation</font> <br> <font face="Arial" size="2">invalid password syntax - passwords with storage scheme are not allowed</font> <br> </span><font face="Arial" size="2">passwd: Permission denied</font> <br> <font face="Arial" size="2">Connection to localhost closed.</font> </p> <div>##### Output end</div> <div> </div> <div> </div> <div>So basically what I'm wondering about is exactly which constraint I'm violating. In other words, what does the "password<font color="#550055"><font size="2"> with storage scheme are not allowed" tell me?</font></font></div> </blockquote> Your password is being hashed by your client system before it is sent to the Directory Server. This is not allowed since the server would have no way to enforce it's password policy against a pre-hashed password. You need to configure /etc/ldap.conf to send the clear text password to the LDAP server. You should use SSL/TLS to protect the password in transit.<br> <blockquote cite="mid:c25f25140909180810t4c4cd480ucd9a9759d0c73c98@mail.gmail.com" type="cite"> <div> </div> <div> </div> <div><font color="#550055" size="2">Best regards,</font></div> <div><font color="#550055" size="2">Kenneth Holter</font></div> <p> </p> <p> </p> <pre wrap=""> <hr size="4" width="90%"> -- 389 users mailing list <a class="moz-txt-link-abbreviated" href="mailto:389-users@redhat.com">389-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a> </pre> </blockquote> <br> </body> </html>