I think I have this sorted. It looks like the problem is that the ns-newpwpolicy.pl uses '=' instead of its ascii value (\3D) in the rdn of the password policy itself and the costemplatedn attribute of the CoS specification. Below is what is working for me. -morgan check that nsslapd-pwpolicy-local is on $ ldapsearch -H ldaps://devsgldap01.domain.net -x -D cn=directory\ manager -y ~/Docs/.pass2 -LLLb cn=config -s base nsslapd-pwpolicy-local dn: cn=config nsslapd-pwpolicy-local: on $ top level container: $ ldapsearch -LLL -H ldaps://devsgldap01.domain.net -D cn=directory\ manager -x -y ~/Docs/.pass2 '(objectclass=nscontainer)' dn: cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org cn: nsPwPolicyContainer objectClass: top objectClass: nsContainer Password policy itself. Note that '=' has been replaced with '\3D' in the dn that is the rdn: $ ldapsearch -LLL -H ldaps://devsgldap01.domain.net -D cn=directory\ manager -x -y ~/Docs/.pass2 '(&(objectclass=ldapsubentry)(objectclass=passwordpolicy))' dn: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsPwP olicyContainer,ou=students,dc=domain,dc=org passwordMaxFailure: 10 passwordResetFailureCount: 600 passwordLockout: on passwordStorageScheme: ssha passwordCheckSyntax: on passwordChange: off passwordMinAge: 0 passwordExp: off passwordMustChange: off passwordMinLength: 6 objectClass: ldapsubentry objectClass: passwordpolicy objectClass: top cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org The cos template that has the pwdpolicysubentry value point to the above nsPwPolicyEntry entry. pwdpolicysubentry is operational, ask for it separately: $ ldapsearch -LLL -H ldaps://devsgldap01.domain.net -D cn=directory\ manager -x -y ~/Docs/.pass2 '(&(objectclass=ldapsubentry)(objectclass=costemplate))' dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP wPolicyContainer,ou=students,dc=domain,dc=org objectClass: extensibleObject objectClass: costemplate objectClass: ldapsubentry objectClass: top cosPriority: 1 cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org $ ldapsearch -LLL -H ldaps://devsgldap01.domain.net -D cn=directory\ manager -x -y ~/Docs/.pass2 '(&(objectclass=ldapsubentry)(objectclass=costemplate))' pwdpolicysubentry dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP wPolicyContainer,ou=students,dc=domain,dc=org pwdpolicysubentry: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc \3Dorg,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org CoS specification at the subtree level. Note that '=' has been replaced with '\3D' in costemplatedn: $ ldapsearch -LLL -H ldaps://devsgldap01.domain.net -D cn=directory\ manager -x -y ~/Docs/.pass2 '(&(objectclass=ldapsubentry)(objectclass=cossuperdefinition))' dn: cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org costemplatedn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3 Dorg,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org cn: nsPwPolicy_cos cosAttribute: pwdpolicysubentry default operational-default objectClass: top objectClass: LDAPsubentry objectClass: cosSuperDefinition objectClass: cosPointerDefinition On Aug 26, 2013, at 2:49 PM, Morgan Jones wrote: > > On Aug 23, 2013, at 4:02 AM, Ludwig Krispenz wrote: > >> Did you enable the global password policy and set nsslapd-pwpolicy-loca: on ? > > Yes, it is set > >> >> The admin guide (chapter 14.1.2) says that pwpolicy must be enabled globally before loacal policies are used. >> >> And I think your cos definition is incomplete: the costemplate needst hold a value for the cos attribute, >> pwdpolicysubentry: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon >> tainer,ou=students,dc=domain,dc=org > > pwdpolicysubentry is set, it didn't show up on my search below because it's apparently an operational attribute (I get it if I request it). It's set for both of the templates--the one added by the command line and the one added by the console: > > $ ldapsearch -H ldaps://devsgldapm01.domain.net -x -y ~/Docs/.pass2 -D cn=directory\ manager -LLL '(&(objectclass=costemplate)(objectclass=ldapsubentry))' pwdpolicysubentry objectclass > dn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyC > ontainer,ou=students,dc=domain,dc=org > pwdpolicysubentry: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,c > n=nsPwPolicyContainer,ou=students,dc=domain,dc=org > objectclass: top > objectclass: extensibleObject > objectclass: costemplate > objectclass: ldapsubentry > > dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP > wPolicyContainer,ou=students,dc=domain,dc=org > pwdpolicysubentry: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc > \3Dorg,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org > objectclass: extensibleObject > objectclass: costemplate > objectclass: ldapsubentry > objectclass: top > > thanks, > > -morgan > > > >> >> >> Ludwig >> >> On 08/22/2013 11:06 PM, Morgan Jones wrote: >>> Either I'm missing something or password policies just don't work in Redhat (CentOS) directory 8.2.8. >>> >>> I started by creating a subtree policy on the command line: >>> >>> # ./ns-newpwpolicy.pl -D cn=directory\ manager -w pass -h localhost -S ou=students,dc=domain,dc=org >>> adding new entry cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org >>> >>> adding new entry cn=cn=nsPwPolicyEntry\,ou=students\,dc=domain\,dc=org,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org >>> >>> adding new entry cn=cn=nsPwTemplateEntry\,ou=students\,dc=domain\,dc=org,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org >>> >>> adding new entry cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org >>> >>> modifying entry cn=config >>> >>> >>> >>> The following were created: >>> >>> dn: cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org >>> objectClass: top >>> objectClass: nsContainer >>> cn: nsPwPolicyContainer >>> >>> dn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyC >>> ontainer,ou=students,dc=domain,dc=org >>> objectClass: top >>> objectClass: extensibleObject >>> objectClass: costemplate >>> objectClass: ldapsubentry >>> cosPriority: 1 >>> cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org >>> >>> dn: cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org >>> objectClass: top >>> objectClass: LDAPsubentry >>> objectClass: cosSuperDefinition >>> objectClass: cosPointerDefinition >>> costemplatedn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn= >>> nsPwPolicyContainer,ou=students,dc=domain,dc=org >>> cosAttribute: pwdpolicysubentry default operational-default >>> cn: nsPwPolicy_cos >>> >>> dn: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon >>> tainer,ou=students,dc=domain,dc=org >>> objectClass: top >>> objectClass: ldapsubentry >>> objectClass: passwordpolicy >>> cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org >>> >>> >>> >>> >>> I added the policy attributes we're interested in: >>> >>> dn: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon >>> tainer,ou=students,dc=domain,dc=org >>> passwordResetFailureCount: 600 >>> passwordMaxFailure: 10 >>> passwordLockout: on >>> passwordMinLength: 6 >>> objectClass: top >>> objectClass: ldapsubentry >>> objectClass: passwordpolicy >>> cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org >>> >>> >>> >>> I then tried 11 ldapsearches as a user under ou=students,dc=domain,dc=org and the account was not locked out. >>> >>> >>> >>> I then checked the console and the settings weren't there. I set them and it added two additional entries: >>> >>> dn: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsPwP >>> olicyContainer,ou=students,dc=domain,dc=org >>> passwordMaxFailure: 10 >>> passwordResetFailureCount: 600 >>> passwordLockout: on >>> passwordStorageScheme: ssha >>> passwordCheckSyntax: on >>> passwordChange: off >>> passwordMinAge: 0 >>> passwordExp: off >>> passwordMustChange: off >>> passwordMinLength: 6 >>> objectClass: ldapsubentry >>> objectClass: passwordpolicy >>> objectClass: top >>> cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org >>> >>> dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP >>> wPolicyContainer,ou=students,dc=domain,dc=org >>> objectClass: extensibleObject >>> objectClass: costemplate >>> objectClass: ldapsubentry >>> objectClass: top >>> cosPriority: 1 >>> cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org >>> >>> >>> However I still can't force a user to be locked out. >>> >>> I did set passwordIsGlobalPolicy to on under cn=config though as far as I can tell that only affects replication of password policies. >>> >>> Am I missing something? >>> >>> thanks, >>> >>> -morgan >>> -- >>> 389 users mailing list >>> >>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >> >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
