Re: ns-newpolicy/pl documentation/use case

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 9/20/21 6:36 PM, Ghiurea, Isabella wrote:

 

 

From: Ghiurea, Isabella
Sent: September 20, 2021 3:32 PM
To: 'Mark Reynolds' <mreynolds@xxxxxxxxxx>; General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: [389-users] ns-newpolicy/pl documentation/use case

 

I cfg the DS  see the dse,ldif,  next reboot the server and update a user passwd with  ldappasswd, I am not able to see  passwordTrackUpdateTime in user entry.

 

nsslapd-pwpolicy-inherit-global: on

nsslapd-pwpolicy-local: on

passwordTrackUpdateTime: on

 

running 389-ds-base-1.3.9

 

I tried with nsslapd-pwpolicy-local: off and

nsslapd-pwpolicy-inherit-global: on and

passwordTrackUpdateTime: on

and still same result.

Please , what I am missing from this cfg ?

I have no idea, all I did was set passwordTrackUpdateTime to on, and then I changed a user's password.  That is it.  No other configuration changes are needed.  After that I saw this in the audit log:

    dn: uid=demo_user,ou=people,dc=example,dc=com
    changetype: modify
    replace: pwdUpdateTime
    pwdUpdateTime: 20210920205730Z

Now pwdUpdateTime is an operational attribute, so if you want to confirm it was written by doing a search, then the search must request that attribute (or else it is not returned to the client):

# ldapsearch -D "..." -W -b dc=example,dc=com uid=demo_user pwdUpdateTime

Mark

Thank you!

 

 

From: Mark Reynolds [mailto:mreynolds@xxxxxxxxxx]
Sent: September 20, 2021 2:00 PM
To: Ghiurea, Isabella <Isabella.Ghiurea@xxxxxxxxxxxxxx>; General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [389-users] ns-newpolicy/pl documentation/use case

 

***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC

 

On 9/20/21 11:32 AM, Ghiurea, Isabella wrote:

Thank you, so the steps to have this  attribute cfg  and  with set value for each user  are :

 

1.       In DS cfg add attriute PasswordTrackUpddateTime to on, nsslapd-policy-local to on and nsslapd-pwpolicy-inherit –global to on

2.       Have users chage their passwd

3.       The uid entries wtill display the new attribute :PasswordTrackUpdateTime with time stamp value

Is this sufficient  to have this attribute populate for each DS entry ?

 

Do I  still need to run this ns-newpolicy.pl script ?

Do you really need a local subtree policy?  If the password policy you want to use will apply to all your users then you can simplify all of this.  Just set passwordTrackUpdateTime to "on".  That's it. 

If affirmative, I would like to learn when and what arguments must provide at run time ?

Sorry, I'm not sure what you are asking here...

Mark

 

Isabella

4.        

 

From: Mark Reynolds [mailto:mreynolds@xxxxxxxxxx]
Sent: September 20, 2021 6:01 AM
To: General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>; Ghiurea, Isabella <Isabella.Ghiurea@xxxxxxxxxxxxxx>
Subject: Re: [389-users] ns-newpolicy/pl documentation/use case

 

***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC

 

On 9/17/21 4:46 PM, Ghiurea, Isabella wrote:

Hi List

I am searching for  some  documentation  for ns-newpolicy.pl file , as per RH Doc I can  use that script to add the attribute : pwdUpdateTime to each uid  entry after I  already cfg in  DS  Password TrackUpdateTime and  pwdpolicy-  inherit -global  to ‘on’;

The only docs we have are the official Red Hat docs.  Here's a recap...

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-passwordTrackUpdateTime

This will start to add "pwdUpdateTime" to entries after they change their passwords, but it does not automatically add it to all existing entries.  They must change their passwords after enabling this setting for pwdUpdateTime to be set.

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-nsslapd_pwpolicy_inherit_global_Inherit_Global_Password_Policy

This setting is only used if you are using local password policies (subtree/user policies). It means it will check the global policy settings AND the local policy settings.  Otherwise only the local policy is applied.

HTH,
Mark

Thank you

Isabella



_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- 
Directory Server Development Team
-- 
Directory Server Development Team
-- 
Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux