Para: 389-users@xxxxxxxxxxxxxxxxxxxxxxx, juancarlos@xxxxxxxxxx
Enviados: Jueves, 29 de Agosto 2013 15:49:41
Asunto: RE: Password policy applied to a group
Juan Carlos,
Yes, CoS can help. I had a similar problem and resolved it by using roles and CoS. More precisely, I used a filtered role and then assigned the same password policy to all role members (belonging to different groups) by using so called classic type CoS.
However, I had to assign the password policy by command line not through 389 console.
Role dn may be something like this:
dn: cn=roleName,ou=people,dc=example,dc=com
cn: roleName
nsrolefilter: ou=UniquePolicyRole
objectclass: top
objectclass: ldapsubentry
objectclass: nsroledefinition
objectclass: nscomplexroledefinition
objectclass: nsfilteredroledefinition
So when an entry matches the role filter criteria it gets nsRole attribute that has a value of a kind : cn=roleName,ou=people,dc=example,dc=com…
Classic CoS implementation looks a bit tricky:
CoS definiton entry:
dn: CoSDefinitionRDN,ou=people,dc=example,dc=com
cosspecifier: nsRole
cosTemplateDN: CoSDefinitionRDN,ou=people,dc=example,dc=com
cosattribute: pwdPolicySubentry default operational-default
objectclass: top
objectclass: ldapsubentry
objectclass: cossuperdefinition
objectclass: cosClassicDefinition
CoS template entry:
dn: CosTemplateRDN,CoSDefinitionRD,ou=people,dc=example,dc=com
pwdpolicysubentry: PwdPolicyRDN,cn=PwdPolicies,ou=people,dc=example,dc=com
cospriority: n // see more on CoS priorities. The purpose is to always have exactly one password policy i.e. pwdPolicySubentry attribute active, even if your entry is eligible for a few of
// them.
objectclass: top
objectclass: costemplate
objectclass: extensibleobject
objectclass: ldapsubentry
As a result, an entry belonging to roleName role would have pwdpolicysubentry with a value of “dn:PwdPolicyRDN,cn=PwdPolicies,ou=people,dc=example,dc=com”
I hope this helps.
Jovan
Jovan Vukotić • Senior Software Engineer • Ambit Treasury Management • SunGard • Banking • Bulevar Milutina Milankovića 136b, Belgrade, Serbia • tel: +381.11.6555-66-1 • jovan.vukotic@xxxxxxxxxxx
From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Juan Carlos Camargo
Sent: Thursday, August 29, 2013 2:13 PM
To: General discussion list for the 389 Directory server project.
Subject: Password policy applied to a group
389ds'ers,
I'm struggling to find the best way to apply a password policy only to members of a group, the rest having either the global or user/local policy. I have a number of users whose password should never expire , but those users live in different OU's, dont even share a parent branch. Do you think a CoS might help? Which do you think would be the best way to implement this?
Thanks!
--
Juan Carlos Camargo Carrillo.
@jcarloscamargo
957-211157 , 650932877
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
