Re: Password policy not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Aside from any default policies, I created a password policy for the subtree on ou=People,dc=example,dc=org. The enabled settings in that policy are:

 

·         Fine-grained subtree policy enabled

·         Password expires after x days

·         Check password syntax (followed by the specifications for that)

 

The “User may change password” option is left unchecked in this password policy.

 

I don’t have a user password policy enabled….only subtree. I have my user objects and password being synced over from AD via a unidirectional relationship (win-to-linux).

 

 

 

 

 

From: Mark Reynolds <mreynolds@xxxxxxxxxx>
Sent: Monday, October 15, 2018 3:19 PM
To: General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>; Nick W. Harrison <nwharrison@xxxxxxxxxxxxxxxxx>
Subject: Re: [389-users] Re: Password policy not working

 

 

On 10/15/18 10:09 AM, Nick W. Harrison wrote:

The version of 389-ds-base is 1.3.7.5-24.

 

The below snippet appears to be the full sequence from the access log on my LDAP server. I have a Linux client using SSSD to bind to the directory (account: mybindacct). I SSH into my client as johndoe and change my password with the usual passwd command.

 

[15/Oct/2018:09:26:11.609685215 -0400] conn=206895 TLS1.2 256-bit AES-GCM

[15/Oct/2018:09:26:11.612881217 -0400] conn=206895 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommittedusn aci"

[15/Oct/2018:09:26:11.613707013 -0400] conn=206895 op=0 RESULT err=0 tag=101 nentries=1 etime=0.0011199684

[15/Oct/2018:09:26:11.615468995 -0400] conn=206895 op=1 BIND dn="uid=mybindacct,ou=Special Users,dc=example,dc=org" method=128 version=3

[15/Oct/2018:09:26:11.615687824 -0400] conn=206895 op=1 RESULT err=0 tag=97 nentries=0 etime=0.0000260954 dn="uid=mybindacct,ou=special users,dc=example,dc=org"

[15/Oct/2018:09:26:11.616003685 -0400] conn=206895 op=2 BIND dn="uid=johndoe,ou=Test,ou=People,dc=example,dc=org" method=128 version=3

[15/Oct/2018:09:26:11.616327955 -0400] conn=206895 op=2 RESULT err=0 tag=97 nentries=0 etime=0.0000365138 dn="uid=johndoe,ou=test,ou=people,dc=example,dc=org"

[15/Oct/2018:09:26:11.624910413 -0400] conn=206895 op=3 EXT oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_plugin"

[15/Oct/2018:09:26:11.627984160 -0400] conn=206895 op=3 RESULT err=0 tag=120 nentries=0 etime=0.0003117005

[15/Oct/2018:09:26:11.630152739 -0400] conn=206895 op=4 UNBIND

 

One question is which account is actually doing the attribute change: is it my SSSD bind account the one updating the johndoe password attribute on behalf of the johndoe user?

It should be changing it as "uid=johndoe,ou=test,ou=people,dc=example,dc=org", but perhaps the password modify extended operation is bypassing the password policy?  I need to try and reproduce this before opening a ticket.  So the global password policy under cn=config allows users to change their password, but a subtree policy denies the user this privilege but they are still allowed to reset their own password, is this correct?  I need to make sure I am using the same setup as you are.

Mark

 

 

 

Thanks,

Nick

 

 

From: Mark Reynolds <mreynolds@xxxxxxxxxx>
Sent: Friday, October 12, 2018 12:32 PM
To: General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>; Nick W. Harrison <nwharrison@xxxxxxxxxxxxxxxxx>
Subject: Re: [389-users] Password policy not working

 

That is the wrong package "389-ds", what is the version of "389-ds-base"? 

Can you share what is in the server's access log when the password is changed (/var/log/dirsrv/slapd-YOUR_INSTACE/access)?  There should be a few operations that occur during the password change so please make sure to provide a full clip from the log.

Thanks,

Mark

 

On 10/12/18 12:05 PM, Nick W. Harrison wrote:

Hello –

 

I have a password policy on the OU that contains all of my user accounts. This password policy is set on the subtree and the “user may change password” option is deselected. However, I’m still able to change my password if I use passwd on a LDAP client.

 

I’m running an older version of 389-ds…v.1.2.2-6…and am wondering if there is anything additional I need to put in place to prevent users from changing their passwords. My accounts and passwords are replicated over from AD with a unidirectional relationship, and the clients are doing simple binds.

 

Thanks for any thoughts.




_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx



_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux