Did you enable the global password policy and set nsslapd-pwpolicy-loca: on ?
The admin guide (chapter 14.1.2) says that pwpolicy must be enabled globally before loacal policies are used. And I think your cos definition is incomplete: the costemplate needst hold a value for the cos attribute, pwdpolicysubentry: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon tainer,ou=students,dc=domain,dc=org Ludwig On 08/22/2013 11:06 PM, Morgan Jones wrote :Either I'm missing something or password policies just don't work in Redhat (CentOS) directory 8.2.8. I started by creating a subtree policy on the command line: # ./ns-newpwpolicy.pl -D cn=directory\ manager -w pass -h localhost -S ou=students,dc=domain,dc=org adding new entry cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org adding new entry cn=cn=nsPwPolicyEntry\,ou=students\,dc=domain\,dc=org,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org adding new entry cn=cn=nsPwTemplateEntry\,ou=students\,dc=domain\,dc=org,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org adding new entry cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org modifying entry cn=config The following were created: dn: cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org objectClass: top objectClass: nsContainer cn: nsPwPolicyContainer dn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyC ontainer,ou=students,dc=domain,dc=org objectClass: top objectClass: extensibleObject objectClass: costemplate objectClass: ldapsubentry cosPriority: 1 cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org dn: cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org objectClass: top objectClass: LDAPsubentry objectClass: cosSuperDefinition objectClass: cosPointerDefinition costemplatedn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn= nsPwPolicyContainer,ou=students,dc=domain,dc=org cosAttribute: pwdpolicysubentry default operational-default cn: nsPwPolicy_cos dn: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon tainer,ou=students,dc=domain,dc=org objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org I added the policy attributes we're interested in: dn: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon tainer,ou=students,dc=domain,dc=org passwordResetFailureCount: 600 passwordMaxFailure: 10 passwordLockout: on passwordMinLength: 6 objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org I then tried 11 ldapsearches as a user under ou=students,dc=domain,dc=org and the account was not locked out. I then checked the console and the settings weren't there. I set them and it added two additional entries: dn: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsPwP olicyContainer,ou=students,dc=domain,dc=org passwordMaxFailure: 10 passwordResetFailureCount: 600 passwordLockout: on passwordStorageScheme: ssha passwordCheckSyntax: on passwordChange: off passwordMinAge: 0 passwordExp: off passwordMustChange: off passwordMinLength: 6 objectClass: ldapsubentry objectClass: passwordpolicy objectClass: top cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP wPolicyContainer,ou=students,dc=domain,dc=org objectClass: extensibleObject objectClass: costemplate objectClass: ldapsubentry objectClass: top cosPriority: 1 cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org However I still can't force a user to be locked out. I did set passwordIsGlobalPolicy to on under cn=config though as far as I can tell that only affects replication of password policies. Am I missing something? thanks, -morgan -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users |
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
