Hello,
I’m facing a problem with the password policy. You can see in the screenshot the policy applied to a user. But when this users changes password with the same one through self service, it is allowed to do so. Password history seems to not work. I tested the password length with a new policy of 4 digits, and still ask for 8. This means that changing policy does not have any effect.
Any idea why is happening?
With this command i made a workaround: samba-tool domain passwordsettings set --history-length=5
Now the history length is ok. But this does not solve the password policy problem of UCS.
The problem here is that there are two LDAP servers (OpenLDAP & Samba LDAP), and both have their own set of password policies. The LDAP password policies you can configure in the UMC only affect changing passwords via LDAP. The Samba password policies on the other hand affect changing passwords via Kerberos (e.g. on a domain-joined Windows PC).
The self-service portal actually uses Kerberos under the hood in order to change the password. That’s why using samba-tool has an effect.
Yeah, all of this is rather confusing, unfortunately.
What your changing on your screenshot is the LDAP Password policy
when using windows domain services you have to set them equal in the ad domain too as they are not synced through s4-connector
to change ad passwort global settings got to ucm -> ldap -> samba -> domain and set the policy there
if you have to set password settings for single user do this with windows RSAT tools
rg
Christian
Thank you guys for your informations. What i’m not understaning is why this use to work when i first implement the password policies, and after some months does not. I’m interested to have 2 or 3 password policies for different users.
For that you may do that also through grouppolicies
rg
Christian