CentOS Directory Server - Changing Password via LDAP Modify, passing in old password

This might be a bit odd, as I’ve had no success finding a solution thus far.

This is installed in CentOS 5.8, and using CentOS-Directory/8.2.8 B2012.041.1227.

Simply, I am using an application which will prompt the user to change their password (OpenAM). That works mostly fine, but if the DS is set up to store the password history, the client application is unable to change the password, constantly going “Password in history”. That’s not very useful, especially since I know that the password has not previously been used.

After sitting down with Wireshark, I saw that the client app was sending the following request:

dn: uid=AUser,ou=People,dc=testldap
changetype: modify
delete: userpassword
userpassword: location
-
add: userpassword
userpassword: american_psycho

Which keels over with “Password in history”. I tried that same request on the command line:

$ ldapmodify -h host -p 389 -D "uid=AUser,ou=People,dc=testldap" -w location
dn: uid=AUser,ou=People,dc=testldap
changetype: modify
delete: userpassword
userpassword: location
-
add: userpassword
userpassword: american_psycho
^D
Processing MODIFY request for uid=AUser,ou=People,dc=testldap
MODIFY operation failed
Result Code:  19 (Constraint Violation)
Additional Information:  password in history

However, if I try the following:

$ ldapmodify -h host -p 389 -D "uid=AUser,ou=People,dc=testldap" -w location
dn: uid=AUser,ou=People,dc=testldap
changetype: modify
delete: userpassword 
-
add: userpassword
userpassword: american_psycho
^D
Processing MODIFY request for uid=AUser,ou=People,dc=testldap
MODIFY operation successful for uid=AUser,ou=People,dc=testldap

Then that obviously works, the only difference being that I’m not passing in the old password this time. I understand why you would want to pass in a value to delete (e.g. if it’s a multi-valued attribute), but I don’t understand why the DS is checking it against the password history…

I’ve checked the log files, and even with all the logging turned on I don’t see anything useful…

There’s no way to configure the client application to not send through the old password without forking it ourselves, so I’m really hoping that there’s some way to configure the CentOS Directory Server to handle this. I know that this is supported by Active Directory (or was at some point): http://msdn.microsoft.com/en-us/library/cc223249.aspx But I can’t find out how to have this be supported in CentOS DS.

slapcat -H ldpap://host:389/uid=AUser,ou=People,dc=testldap -l export.ldif