|
Juan Carlos, Yes, CoS can help. I had a similar problem and resolved it by using roles and CoS. More precisely, I used a filtered role and then assigned the same password
policy to all role members (belonging to different groups) by using so called classic type CoS. However, I had to assign the password policy by command line not through 389 console. Role dn may be something like this: dn: cn=roleName,ou=people,dc=example,dc=com cn: roleName nsrolefilter: ou=UniquePolicyRole objectclass: top objectclass: ldapsubentry objectclass: nsroledefinition objectclass: nscomplexroledefinition objectclass: nsfilteredroledefinition So when an entry matches the role filter criteria it gets
nsRole attribute that has a value of a kind : cn=roleName,ou=people,dc=example,dc=com… Classic CoS implementation looks a bit tricky: CoS definiton entry: dn:
CoSDefinitionRDN,ou=people,dc=example,dc=com cosspecifier:
nsRole cosTemplateDN:
CoSDefinitionRDN,ou=people,dc=example,dc=com cosattribute: pwdPolicySubentry default operational-default objectclass: top objectclass: ldapsubentry objectclass: cossuperdefinition objectclass: cosClassicDefinition CoS template entry: dn:
CosTemplateRDN,CoSDefinitionRD,ou=people,dc=example,dc=com pwdpolicysubentry:
PwdPolicyRDN,cn=PwdPolicies,ou=people,dc=example,dc=com cospriority: n // see more on CoS priorities. The purpose is to always have exactly one password policy i.e. pwdPolicySubentry attribute
active, even if your entry is eligible for a few of // them.
objectclass: top objectclass: costemplate objectclass: extensibleobject objectclass: ldapsubentry As a result, an entry belonging to
roleName role would have pwdpolicysubentry with a value of “dn:PwdPolicyRDN,cn=PwdPolicies,ou=people,dc=example,dc=com” I hope this helps. Jovan Jovan Vukotić • Senior
Software Engineer • Ambit Treasury Management • SunGard • Banking • Bulevar Milutina Milankovića 136b, Belgrade, Serbia • tel: +381.11.6555-66-1 • jovan.vukotic@xxxxxxxxxxx From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx]
On Behalf Of Juan Carlos Camargo 389ds'ers, I'm struggling to find the best way to apply a password policy only to members of a group, the rest having either the global or user/local policy. I have a number
of users whose password should never expire , but those users live in different OU's, dont even share a parent branch. Do you think a CoS might help? Which do you think would be the best way to implement this? --
Juan Carlos Camargo Carrillo. @jcarloscamargo 957-211157 , 650932877 |
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
