On Aug 23, 2013, at 4:02 AM, Ludwig Krispenz wrote: > Did you enable the global password policy and set nsslapd-pwpolicy-loca: on ? Yes, it is set > > The admin guide (chapter 14.1.2) says that pwpolicy must be enabled globally before loacal policies are used. > > And I think your cos definition is incomplete: the costemplate needst hold a value for the cos attribute, > pwdpolicysubentry: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon > tainer,ou=students,dc=domain,dc=org pwdpolicysubentry is set, it didn't show up on my search below because it's apparently an operational attribute (I get it if I request it). It's set for both of the templates--the one added by the command line and the one added by the console: $ ldapsearch -H ldaps://devsgldapm01.domain.net -x -y ~/Docs/.pass2 -D cn=directory\ manager -LLL '(&(objectclass=costemplate)(objectclass=ldapsubentry))' pwdpolicysubentry objectclass dn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyC ontainer,ou=students,dc=domain,dc=org pwdpolicysubentry: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,c n=nsPwPolicyContainer,ou=students,dc=domain,dc=org objectclass: top objectclass: extensibleObject objectclass: costemplate objectclass: ldapsubentry dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP wPolicyContainer,ou=students,dc=domain,dc=org pwdpolicysubentry: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc \3Dorg,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org objectclass: extensibleObject objectclass: costemplate objectclass: ldapsubentry objectclass: top thanks, -morgan > > > Ludwig > > On 08/22/2013 11:06 PM, Morgan Jones wrote: >> Either I'm missing something or password policies just don't work in Redhat (CentOS) directory 8.2.8. >> >> I started by creating a subtree policy on the command line: >> >> # ./ns-newpwpolicy.pl -D cn=directory\ manager -w pass -h localhost -S ou=students,dc=domain,dc=org >> adding new entry cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org >> >> adding new entry cn=cn=nsPwPolicyEntry\,ou=students\,dc=domain\,dc=org,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org >> >> adding new entry cn=cn=nsPwTemplateEntry\,ou=students\,dc=domain\,dc=org,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org >> >> adding new entry cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org >> >> modifying entry cn=config >> >> >> >> The following were created: >> >> dn: cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org >> objectClass: top >> objectClass: nsContainer >> cn: nsPwPolicyContainer >> >> dn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyC >> ontainer,ou=students,dc=domain,dc=org >> objectClass: top >> objectClass: extensibleObject >> objectClass: costemplate >> objectClass: ldapsubentry >> cosPriority: 1 >> cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org >> >> dn: cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org >> objectClass: top >> objectClass: LDAPsubentry >> objectClass: cosSuperDefinition >> objectClass: cosPointerDefinition >> costemplatedn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn= >> nsPwPolicyContainer,ou=students,dc=domain,dc=org >> cosAttribute: pwdpolicysubentry default operational-default >> cn: nsPwPolicy_cos >> >> dn: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon >> tainer,ou=students,dc=domain,dc=org >> objectClass: top >> objectClass: ldapsubentry >> objectClass: passwordpolicy >> cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org >> >> >> >> >> I added the policy attributes we're interested in: >> >> dn: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon >> tainer,ou=students,dc=domain,dc=org >> passwordResetFailureCount: 600 >> passwordMaxFailure: 10 >> passwordLockout: on >> passwordMinLength: 6 >> objectClass: top >> objectClass: ldapsubentry >> objectClass: passwordpolicy >> cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org >> >> >> >> I then tried 11 ldapsearches as a user under ou=students,dc=domain,dc=org and the account was not locked out. >> >> >> >> I then checked the console and the settings weren't there. I set them and it added two additional entries: >> >> dn: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsPwP >> olicyContainer,ou=students,dc=domain,dc=org >> passwordMaxFailure: 10 >> passwordResetFailureCount: 600 >> passwordLockout: on >> passwordStorageScheme: ssha >> passwordCheckSyntax: on >> passwordChange: off >> passwordMinAge: 0 >> passwordExp: off >> passwordMustChange: off >> passwordMinLength: 6 >> objectClass: ldapsubentry >> objectClass: passwordpolicy >> objectClass: top >> cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org >> >> dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP >> wPolicyContainer,ou=students,dc=domain,dc=org >> objectClass: extensibleObject >> objectClass: costemplate >> objectClass: ldapsubentry >> objectClass: top >> cosPriority: 1 >> cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org >> >> >> However I still can't force a user to be locked out. >> >> I did set passwordIsGlobalPolicy to on under cn=config though as far as I can tell that only affects replication of password policies. >> >> Am I missing something? >> >> thanks, >> >> -morgan >> -- >> 389 users mailing list >> >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
