|
|
same situation with 5.9.0
sogo.conf important section
bindDN = "uid=sogo,dc=internal";
bindAsCurrentUser = YES;
openldap with ppolicy working as aspected using default tools like ldappasswd (ppolivy Attribute pwdSafeModify : FALSE )
ldappasswd -x -H ldap://localhost -D uid=sogo,dc=internal -S uid=test5.test5,ou=People,ou=internal,ou=Domains,dc=internal -W ->
slap_access_allowed: add access granted by write(=wrscxd) (userPassword)
conn=1059 op=1 PASSMOD id=uid=test5.test5,ou=People,ou=internal,ou=Domains,dc=internal" new -> OK
ldappasswd -x -H ldap://localhost -D uid=sogo,dc=internal -S uid=test5.test5,ou=People,ou=internal,ou=Domains,dc=internal -W -A (old pwd prompt)->
slap_access_allowed: add access granted by write(=wrscxd) (userPassword)
conn=1059 op=1 PASSMOD id=uid=test5.test5,ou=People,ou=internal,ou=Domains,dc=internal" old new -> OK
with SOGo -> passwordRecovery -> SOGo is sending PASSMOD id=uid=test5.test5,ou=People,ou=internal,ou=Domains,dc=internal" old new
-> text=unwilling to verify old password
Ldap Binds/ACL are correct - bind as , permission, query, etc.....
the only issue is using openldap (with ppolicy pwdSafeModify : FALSE):
PASSMOD without an old one has to be only with the new one -> PASSMOD new
so another try:
Any chance to get a kind of ldap configuration parameter enforcing ldap password change with new password only (for open ldap) ?
f.e.
passwordPolicy = YES;
passwordPolicySafeModify = FALSE;
passwordPolicySafeModifyModule = ("passwordRecovery "); |
