Re: subtree password policy problems

[Mark Reynolds <mareynol@xxxxxxxxxx>]

On 11/16/2016 07:06 AM, Alberto Viana wrote:

Hi,

Anyone? I really need some help on this.

All you should need to do is setup a subtree policy on those OU's, and those should override the global policy. 

There was bug, that I can not seem to find anymore, where this was not working: Subtree policy was not overriding the global policy.  It was fixed, but I don't know if the version of 389 that you have has that fix or not.  Make sure you are on the latest version of 389 that your platform supports.

If this does not work please file a ticket with the exact steps to reproduce the problem:

https://fedorahosted.org/389/newticket

Regards,
Mark

Thanks

On Fri, Nov 4, 2016 at 1:01 PM, Alberto Viana <albertocrj@xxxxxxxxx> wrote:

Hi,

Just to explain better what I need:

Enforce a global password policy with password expiration but disable for some specifics OUs (just disable the password expiration).

On Fri, Nov 4, 2016 at 12:54 PM, Alberto Viana <albertocrj@xxxxxxxxx> wrote:

Hi,

389-ds: 1.3.4.11

What I Need:

Enforce a global password policy but disable for some specifics OUs.

Doc: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#User_Account_Management-Managing_the_Password_Policy

Everything was working fine but I realized for that specific OU that I created a local policy started to storage user password as plaintext:

I created the local policy using the script ns-newpwpolicy.pl as below:

/opt/dirsrv/sbin/ns-newpwpolicy.pl -v -D "cn=Directory Manager" -w my_manager_pass -S OU=testing,dc=homolog,dc=rnp

 Here's my config:

nsslapd-pwpolicy-local: on (under cn=config)

Double checked using 389 console that under this OU, "Fine-grained subtree policy enabled" is set on.

ldapsearch  -b 'cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp' -D "cn=Directory Manager" -x -W '(objectclass=ldapsubentry)'

# extended LDIF

#

# LDAPv3

# base <cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp> with scope subtree

# filter: (objectclass=ldapsubentry)

# requesting: ALL

#

# cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp, nsPwPol

 icyContainer, testing, homolog.rnp

dn: cn=cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp,cn=n

 sPwPolicyContainer,OU=testing,dc=homolog,dc=rnp

passwordStorageScheme: SSHA

passwordChange: off

passwordMaxAge: 8640000

passwordExp: off

objectClass: top

objectClass: extensibleObject

objectClass: costemplate

objectClass: ldapsubentry

cosPriority: 1

cn: cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp

A user entry on this OU:

dn: uid=app-test,OU=testing,dc=homolog,dc=rnp

userPassword:: MXEydzNlNHI=

ntUserLastLogon: 131219776403276312

objectClass: top

objectClass: person

objectClass: organizationalperson

objectClass: inetOrgPerson

Am I missing something?

Thanks

Alberto Viana

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx