Re: subtree password policy problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/18/2016 01:39 PM, Alberto Viana wrote:
Mark,

I updated to 1.3.5.14 version and realized that:

- If I create the subtree policy using ns-newpwpolicy.pl, 389 starts to storage userpassword as plaintext (the other things as disable password expiration works fine), to this specific subtree

- If I create the subtree policty using 389-console, everything works fine.

Analysing the nsPwPolicyContainer and nsPwTemplateEntry created by both methods I could not find any difference.

The exactly same thing happens on 1.3.4.11, so is that a script problem?
If the console works, but the script fails then there is something funny with the script.  So please file a ticket with the exact steps to reproduce the problem, and your initial analysis:

https://fedorahosted.org/389/newticket

Thanks!
Mark



Should I file a ticket anyway?

Thanks

Alberto Viana

On Wed, Nov 16, 2016 at 10:24 AM, Mark Reynolds <mareynol@xxxxxxxxxx> wrote:


On 11/16/2016 07:06 AM, Alberto Viana wrote:
Hi,

Anyone? I really need some help on this.
 All you should need to do is setup a subtree policy on those OU's, and those should override the global policy. 

There was bug, that I can not seem to find anymore, where this was not working: Subtree policy was not overriding the global policy.  It was fixed, but I don't know if the version of 389 that you have has that fix or not.  Make sure you are on the latest version of 389 that your platform supports.

If this does not work please file a ticket with the exact steps to reproduce the problem:

https://fedorahosted.org/389/newticket

Regards,
Mark


Thanks

On Fri, Nov 4, 2016 at 1:01 PM, Alberto Viana <albertocrj@xxxxxxxxx> wrote:
Hi,

Just to explain better what I need:

Enforce a global password policy with password expiration but disable for some specifics OUs (just disable the password expiration).




On Fri, Nov 4, 2016 at 12:54 PM, Alberto Viana <albertocrj@xxxxxxxxx> wrote:
Hi,

389-ds: 1.3.4.11

What I Need:

Enforce a global password policy but disable for some specifics OUs.


Everything was working fine but I realized for that specific OU that I created a local policy started to storage user password as plaintext:

I created the local policy using the script ns-newpwpolicy.pl as below:

/opt/dirsrv/sbin/ns-newpwpolicy.pl -v -D "cn=Directory Manager" -w my_manager_pass -S OU=testing,dc=homolog,dc=rnp

 Here's my config:

nsslapd-pwpolicy-local: on (under cn=config)

Double checked using 389 console that under this OU, "Fine-grained subtree policy enabled" is set on.


ldapsearch  -b 'cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp' -D "cn=Directory Manager" -x -W '(objectclass=ldapsubentry)'
# extended LDIF
#
# LDAPv3
# base <cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp> with scope subtree
# filter: (objectclass=ldapsubentry)
# requesting: ALL
#

# cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp, nsPwPol
 icyContainer, testing, homolog.rnp
dn: cn=cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp,cn=n
 sPwPolicyContainer,OU=testing,dc=homolog,dc=rnp
passwordStorageScheme: SSHA
passwordChange: off
passwordMaxAge: 8640000
passwordExp: off
objectClass: top
objectClass: extensibleObject
objectClass: costemplate
objectClass: ldapsubentry
cosPriority: 1
cn: cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp



A user entry on this OU:

dn: uid=app-test,OU=testing,dc=homolog,dc=rnp
userPassword:: MXEydzNlNHI=
ntUserLastLogon: 131219776403276312
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetOrgPerson


Am I missing something?

Thanks

Alberto Viana




_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
_______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org 
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux