LDAP/LDIF is able to replace unique password already used.

  • 3375736
  • 14-Jan-2008
  • 26-Apr-2012


Novell eDirectory LDAP server, for All Platforms
LDAP client importing an ldif file.


Using the LDAP "replace: userpassword" syntax in an ldif import file to change a users password allows you to use a password that was previously assigned even though the user has the "require unique passwords" option set, (Not to allow you to assign a password to the user that has already been assigned to that user in the past).

You can change the user password with an LDAP modify using the'replace' syntax for the modify of the userpassword. The user has "require unique passwords" option configured, you are able to change the password successfully with the LDAP modify, and then you can change the user password again with the same password just previously used. Several repeats of the these steps (using the same password over and over in the ldif modify), will eventually give you an LDAP constraint error, meaning the password was finally recognized as being unique (and used already), and not allow you to change the password with that same password again.
But, the problem is extended in that if you go to another LDAP server, (that even holds a replica of the partition where this user object exists), within this eDirectory Tree, and use that same ldif modify file as above you are allowed to change the user password with that password that as already been used / assigned.


Workaround - using the LDAP syntax of 'delete' and 'add' for the modify in the import file will not allow re-use of the same password when the user object is configured to "require unique passwords".

This has been fixed in eDirectory 8.7.3 SP9