Hugo Etievant wrote: > hello, > > I use only GUI for configuration. I do not use perl script. The GUI does the same thing as the perl script. > > I have checked the "Enable fine-grained password policy" on global > Password Policy. > And i have configured a local Password policy on a subtree. > But this second policy do not work as it should : the minimum lenght > of password is ignored. > > "nsslapd-pwpolicy-local: on" appears my dse.ldif file > > a ldap search show password policy but some attribut of my policy dos > not appears ! > > > exemple : > dn: cn="cn=nsPwPolicyEntry,ou=tests,dc=inrp, > dc=fr",cn=nsPwPolicyContainer,ou= > tests,dc=inrp,dc=fr > passwordMinDigits: 1 > passwordMinAlphas: 1 > passwordStorageScheme: ssha > passwordGraceLimit: 0 > passwordCheckSyntax: on > passwordMinTokenLength: 2 > passwordInHistory: 10 > passwordChange: on > passwordWarning: 0 > passwordMinAge: 0 > passwordHistory: on > passwordExp: on > passwordMustChange: off > passwordMaxAge: 63072000 > objectClass: ldapsubentry > objectClass: passwordpolicy > > here, the "passwordMinLen" attribute does not appear, but i have enter > this with GUI tool (value = "8" chars) !!!! > > this is a bug ? > > > i apply the same policy for global and for local subtree but i have > differents LDAP entries ! > > global policy attributes : > > nsslapd-security: on > nsslapd-pwpolicy-local: on > passwordMinLength: 8 > passwordMinCategories: 3 > passwordMinTokenLength: 2 > passwordCheckSyntax: on > passwordMinAlphas: 1 > passwordMinDigits: 1 > passwordMaxAge: 63072000 > passwordExp: on > passwordHistory: on > passwordWarning: 0 > passwordInHistory: 10 > > local policy attributes : > > passwordMinDigits: 1 > passwordMinAlphas: 1 > passwordStorageScheme: ssha > passwordGraceLimit: 0 > passwordCheckSyntax: on > passwordMinTokenLength: 2 > passwordInHistory: 10 > passwordChange: on > passwordWarning: 0 > passwordMinAge: 0 > passwordHistory: on > passwordExp: on > passwordMustChange: off > passwordMaxAge: 63072000 > > here : passwordMinLen is losed !!!!! Is passwordMinLength the only attribute you cannot set in your local password policy? Do you have this problem with any other attribute? > > > => how can i apply this rule about min length of password ????? > > > regards > > > Visolve LDAP Group a ?crit : >> >> >> >> Hi, >> >> >> >> Hugo ?ti?vant, >> >> >> >> I believe you configured the sub tree password policy through >> ns-newpwpolicy.pl script. >> >> >> >> When you configure the global password policy it may override the sub >> tree password policy. So make sure that 'nsslapd-pwpolicy-local' is >> 'on' in cn=config entry of dse.ldif file to make the sub tree policy >> to work. >> >> >> >> This attribute decides whether the local password policy is enabled >> or not. Anyways the execution of ns-newpwpolicy.pl script will turn >> this attribute value to 'on'. >> >> >> >> However you cannot see any traces of sub tree Password policy >> attributes by searching cn=config tree or in dse.ldif file. It will >> show only global password policy attributes. >> >> >> >> You can see list of applied *sub tree *password policy *attributes* >> by performing a search like this. >> >> >> >> /opt/dirsrv/bin/ldapsearch -v -h <host> -p <port> \ >> >> -D "<managerDN>" -w <passwd> -b <suffix> *objectclass=ldapsubentry* >> >> >> >> dn:cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolicyContainer,ou=marketing,o=abc.com >> >> >> objectClass: top >> >> objectClass: ldapsubentry >> >> objectClass: passwordpolicy >> >> cn: cn=nsPwPolicyEntry,ou=marketing,o=abc.com >> >> passwordExp: off >> >> passwordMaxAge: 10 >> >> passwordWarning: 15 >> >> passwordGraceLimit: 1 >> >> pwdpolicysubentry: >> cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolic >> >> yContainer,ou=marketing,o=abc.com >> >> >> >> >> >> Regards, >> >> ViSolve LDAP Team. >> >> >> >> >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Hugo >> Etievant >> Sent: Wednesday, February 25, 2009 9:41 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Password policy don't work on a >> subtree >> >> >> >> hello, >> >> >> >> version : Directory Server 1.1.3 on Fedora 8 64 bits plateform >> >> >> >> When i configure a password policy on a subtree of my directory, this >> >> policy do not works. >> >> When i configure a global password policy, this global policy works but >> >> ignore locals policy of subtrees. >> >> >> >> when i look at the databases ldif backup, il do not find the >> >> "passwordMinLength" attribute for local password policy for subtrees >> >> but this attribut exists in dse ldif for the global policy ! >> >> >> >> how resolve this ? >> >> >> >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090226/6ece362a/attachment.bin
