Disable password schema update on LDAP bind

389-DS 1.4.1+ attempts to update passwords to new schema on LDAP bind. IPA blocks hashed password updates and requires password changes to go through proper APIs. This option disables password hashing schema updates on bind. See: https://pagure.io/freeipa/issue/8315 See: https://bugzilla.redhat.com/show_bug.cgi?id=1833266 See: https://pagure.io/389-ds-base/issue/49421 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-05-08 12:01:03 +02:00
parent 6fc213d10d
commit aa341020c8
3 changed files with 19 additions and 0 deletions
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -752,6 +752,7 @@ class LDAPClient:
        'nsslapd-idlistscanlimit': True,
        'nsslapd-anonlimitsdn': True,
        'nsslapd-minssf-exclude-rootdse': True,
+        'nsslapd-enable-upgrade-hash': True,
    })

    time_limit = -1.0   # unlimited