Hide Forgot
Description of problem: Log in as an IPA user, and change your own password. The default policy is Min lifetime is an hour, and Min length is 8. If password is changed within the hour, error indicates: ipa: ERROR: Constraint violation: Password Fails to meet minimum strength criteria This indicates the length or required char/numbers is incorrect. But it is actually the min lifetime causing the password to not be accepted. Set that to zero, and was able to change password Note: Using kpasswd indicated the actual issue with pwpolicy: #kpasswd two Password for two@TESTRELM: Enter new password: Enter it again: Password change rejected: Password change failed Err7: Too soon to change password. Version-Release number of selected component (if applicable): ipa-server-2.1.3-8.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Add a user, set its passwd 2. kinit as user, reset passwd 3. As this user, change own passwd (all within the hour) Actual results: Fails with error: ipa: ERROR: Constraint violation: Password Fails to meet minimum strength criteria Expected results: Be able to change password Additional info:
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2067
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/f2cc9c8d33e50b52554a2df8148d4bf7c92fc89a ipa-2-2: https://fedorahosted.org/freeipa/changeset/55cd9e7dbec3d74c1856fc177bb3d64010761cc2
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: "ipa passwd" CLI command used to change user's password always reported the same error message when a password change failed. Consequence: User password changes are a subject of configured password policy. Without a proper error message, it may be difficult to investigate why the password change failed (password complexity, too soon to change password, etc.) and amend the situation. Fix: Directory server plugin used to change passwords now returns proper error to the "ipa passwd" command Result: When password change fails, user receives an error message with exact reason, which should make the following amendment much easier.
verified : # ipa passwd Current Password: New Password: Enter New Password again to verify: ipa: ERROR: Constraint violation: Too soon to change password version : ipa-server-2.2.0-11.el6.i686
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html