On 05/24/2013 11:29 PM, Vincent Gerris
wrote:
Hi Thierry,
Agreed that it might be handy, but we have no
password policy enabled.
Thus, these actions should not be enabled imho.
Any way to disable it? Thanks,
Hi Vincent,
Unfortunately there is no switch to prevent this internal
modification.
I think that most of the time passwordgraceusertime is not set, so
it would be better to trigger that update (passwordgraceusertime=0)
only if we entered in the grace period (i.e.
passwordgraceusertime!=0).
I would suggest that you fill a ticket for this issue or I will fill
it for you if you can not.
best regards
thierry
Kind regards,
Vincent
On 24 May 2013 19:04, "thierry bordaz"
< tbordaz@xxxxxxxxxx>
wrote:
On 05/24/2013 04:16 PM, Vincent Gerris wrote:
sorry for the high traffic.
discussed with some collegues and it seems the following is applicable:
"It's not a bug, it's a feauture!"
the attribute passwordgraceusertime is not present in the iPlanet LDAP
server or perhaps not enabled by default.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Schema_Reference/Schema_Reference-Operational_Attributes_Special_Attributes_and_Special_Object_Classes.html#passwordGrace_UserTime
.
So instead of filing a bug, my question is: is it possible to somehow
not have this attribute reset?
I couldn't find anything under password policy.
Googling did not help either.
Any help is greatly appreciated!
Hi Vincent,
During a bind you may get notified that your
password is about to expire or already expired.
When you receive that notification you enter into the
grace period time, where it is a good idea to change your
password.
Of course when you change your password, you expect that
this grace period ends and that your password follow the
life time of the password policy.
To do this, when you reset your password, there is an
additional internal modify to reset the grace time (and
possibly others password policy attributes). Each time the
password is reset (whatever the defined password policy) ,
this attribute is also reset and I do not know how to
prevent this.
best regards
thierry
On Fri, May 24, 2013 at 3:38 PM, Vincent Gerris <vgerris@xxxxxxxxx> wrote:
I verified this behaviour is still present in Fedora 389 Directory Server 1.2.6.
On Fri, May 24, 2013 at 3:21 PM, Vincent Gerris <vgerris@xxxxxxxxx> wrote:
Hi all,
I think I found it, it seems a bug to me.
With audit logging enabled, I noticed a difference in output in the
output log when changing for example a fax field or the password.
I also noticed that this is also reproducible with the 389 admin GUI.
What I see for example with changing a fax number is:
time: 20130524143610
dn: uid=********,ou=********,o=*********
changetype: modify
replace: telephoneNumber
telephoneNumber: 1234
-
replace: modifiersname
modifiersname: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
-
replace: modifytimestamp
modifytimestamp: 20130524123610Z
-
When ANY modification is made where the password field is modified, I
see something like this:
time: 20130524141847
dn: uid=********,ou=********,o=*********
changetype: modify
delete: preferredLanguage
-
replace: userPassword
userPassword::somelongthingjhere*********************************************************
=
-
replace: modifiersname
modifiersname: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
-
replace: modifytimestamp
modifytimestamp: 20130524121847Z
-
time: 20130524141847
dn: uid=********,ou=********,o=*********
changetype: modify
replace: passwordgraceusertime
passwordgraceusertime: 0
-
Note the extra time: entry.
Apparently, this extra time enty triggers the creation of the extra
changelog entry.
I looked on the old iPlanet server, when a password is changed there,
there is no second time entry.
Can anyone check this on a recent 389 or RH DS?
kind regards,
Vincent
On Fri, May 24, 2013 at 2:04 PM, Vincent Gerris <vgerris@xxxxxxxxx> wrote:
Hi Ludwig and fellow readers,
I will do that.
In the mean time I did some more investigating of the access log and
it seems like a bug to mee.
It may be true that sometime triggers te bug, but this is what I see
in the access log:
[24/May/2013:12:16:48 +0200] conn=20 op=1 MOD
dn="uid=********,ou=*******,o=*********"
This single MOD log entry in the access log triggers 2 changelog
entries with the same time step, but one with a higher numer (+1).
I believe the proper behaviour of the Retro Changelog Plugin schould
be that only 1 entry is made in the cn-changelog tree.
We are running 9.0.0 of the Red Hat Directory Server now, perhaps this
is a bug that is fixed in the mean time?
I am now off to enable Audit logging and perhaps after that look with
wireshark at what happens.
I hope in the mean time someone can confirm this bug and maybe a solution?
Thank you.
Kind regards,
Vincent
On Thu, May 23, 2013 at 3:22 PM, Ludwig Krispenz <lkrispen@xxxxxxxxxx> wrote:
On 05/23/2013 02:22 PM, Vincent Gerris wrote:
Hi Ludwig,
We see the same change with a different change number.
This does not happen while using the 389-console or a tool we use to
directly connect to the directory.
When other integration tools are used that do no trigger a duplicate
entry with iPlanet, they do show a duplicate entry.
I can attach a part of the slapd access log file that records this
activity.
maybe you can also turn on audit logging and see if there is a difference in
the ops from different clients
We are planning a migration from iPlanet 5 to RH DS 9 and this came up
yesterday.
Kind regards,
Vincent
On Thu, May 23, 2013 at 9:51 AM, Ludwig Krispenz <lkrispen@xxxxxxxxxx>
wrote:
What do you mean by two entries - the same change duplicate with
different
change numbers or an additional change logged ?
Ludwig
On 05/23/2013 08:57 AM, Vincent Gerris wrote:
Hi,
We are using Red Hat Enterprise Directory Server (which is a stable
389).
We have been using the retro changelog plugin from the old iPlanet
server for synchronisation to other systems.
Yesterday we noticed that for some reason, when an LDAP modification
is made, 2 entries turn up in de changelog LDAP tree.
It does not seem to happen when the 389-console client is used and a
change is made directly to an account with it,
but when an LDAP modify is done, while the slapd access logs shows 1
modification, the changelog has two entries.
This seems to be a bug.
Does anyone know how to solve this?
I have not found anybody having the issue and nothing in the
configuration either.
These duplicate entries might result in performance issues on the
scripting side.
Any help is greatly appreciated!
Kind regards,
Vincent
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
|