Re: Question about password policy implementation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2017-07-11 at 15:53 -0700, Darren Struthers wrote:
> I have inherited an instance of 389 Directory Server running version
> 1.2.10.2. I have observed some inconsistency in the server's behavior when
> I apply a user-level password policy to an account which has not previously
> had one (either directly via a user-level policy or indirectly via a
> subtree-level policy). I have applied a basic policy with a 7-day password
> expiration and 7-day warning period on several accounts. When I did this,
> some accounts seemed to start the 7-day clock upon a subsequent login,
> while others seemed to have no observable effect (i.e. the account state
> warning for a near expiration is not returned after authentication).
> 
> Does anyone know what factors could result in this inconsistency in this
> version? The behavior seems to diverge along account age lines, with older
> accounts seeming to behave differently than the newer accounts, leading me
> to wonder if someone previously applied and removed password policies at
> either the user- or subtree-level in the past, and if so, whether that
> could potentially lead to the inconsistency I'm observing.

How are they logging in? Via a unix machine? perhaps something that is
reading shadow instead? 

> 
> A secondary question: does anyone know if it is possible to see the state
> of the expiration timer for accounts in this version?

If I recall correctly, I think the timers are relative to fixed points
in time, so look at the admin guide here, it might help you?

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/account-policy-plugin

> 
> Any information or advice anyone has is appreciated. I can provide more
> information about the server in question if necessary.
> 
> Thanks,
> Darren
> 
> 
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Australia/Brisbane

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux