Re: Password policy don't work on a subtree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



hello,

I use only GUI for configuration. I do not use perl script.

I have checked the "Enable fine-grained password policy" on global Password Policy.
And i have configured a local Password policy on a subtree.
But this second policy do not work as it should : the minimum lenght of password is ignored.

"nsslapd-pwpolicy-local: on" appears my dse.ldif file

a ldap search show password policy but some attribut of my policy dos not appears !


exemple :
dn: cn="cn=nsPwPolicyEntry,ou=tests,dc=inrp, dc=fr",cn=nsPwPolicyContainer,ou=
tests,dc=inrp,dc=fr
passwordMinDigits: 1
passwordMinAlphas: 1
passwordStorageScheme: ssha
passwordGraceLimit: 0
passwordCheckSyntax: on
passwordMinTokenLength: 2
passwordInHistory: 10
passwordChange: on
passwordWarning: 0
passwordMinAge: 0
passwordHistory: on
passwordExp: on
passwordMustChange: off
passwordMaxAge: 63072000
objectClass: ldapsubentry
objectClass: passwordpolicy

here, the "passwordMinLen" attribute does not appear, but i have enter this with GUI tool (value = "8" chars) !!!!

this is a bug ?


i apply the same policy for global and for local subtree but i have differents LDAP entries !

global policy attributes :

nsslapd-security: on
nsslapd-pwpolicy-local: on
passwordMinLength: 8
passwordMinCategories: 3
passwordMinTokenLength: 2
passwordCheckSyntax: on
passwordMinAlphas: 1
passwordMinDigits: 1
passwordMaxAge: 63072000
passwordExp: on
passwordHistory: on
passwordWarning: 0
passwordInHistory: 10

local policy attributes :

passwordMinDigits: 1
passwordMinAlphas: 1
passwordStorageScheme: ssha
passwordGraceLimit: 0
passwordCheckSyntax: on
passwordMinTokenLength: 2
passwordInHistory: 10
passwordChange: on
passwordWarning: 0
passwordMinAge: 0
passwordHistory: on
passwordExp: on
passwordMustChange: off
passwordMaxAge: 63072000

here : passwordMinLen is losed !!!!!


=> how can i apply this rule about min length of password ?????


regards


Visolve LDAP Group a écrit :

Hi,

Hugo Étiévant,

I believe you configured the sub tree password policy through ns-newpwpolicy.pl script.

When you configure the global password policy it may override the sub tree password policy. So make sure that 'nsslapd-pwpolicy-local' is 'on' in cn=config entry of dse.ldif file to make the sub tree policy to work.

This attribute decides whether the local password policy is enabled or not. Anyways the execution of ns-newpwpolicy.pl script will turn this attribute value to 'on'.

However you cannot see any traces of sub tree Password policy attributes by searching cn=config tree or in dse.ldif file. It will show only global password policy attributes.

You can see list of applied *sub tree *password policy *attributes* by performing a search like this.

/opt/dirsrv/bin/ldapsearch -v -h <host> -p <port> \

-D "<managerDN>" -w <passwd> -b <suffix>  *objectclass=ldapsubentry*

dn:cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolicyContainer,ou=marketing,o=abc.com

objectClass: top

objectClass: ldapsubentry

objectClass: passwordpolicy

cn: cn=nsPwPolicyEntry,ou=marketing,o=abc.com

passwordExp: off

passwordMaxAge: 10

passwordWarning: 15

passwordGraceLimit: 1

pwdpolicysubentry: cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolic

 yContainer,ou=marketing,o=abc.com

Regards,

ViSolve LDAP Team.

-----Original Message-----
From: fedora-directory-users-bounces@xxxxxxxxxx [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Hugo Etievant
Sent: Wednesday, February 25, 2009 9:41 PM
To: General discussion list for the Fedora Directory server project.
Subject:  Password policy don't work on a subtree

hello,

version : Directory Server 1.1.3 on Fedora 8 64 bits plateform

When i configure a password policy on a subtree of my directory, this

policy do not works.

When i configure a global password policy, this global policy works but

ignore locals policy of subtrees.

when i look at the databases ldif backup, il do not find the

"passwordMinLength" attribute for local password policy for subtrees

but this attribut exists in dse ldif for the global policy !

how resolve this ?




--
* Hugo Étiévant *
*Bibliothèque Denis Diderot
Coordinateur informatique du Projet SID (Système d'Information Documentaire)*
hugo.etievant@xxxxxxx <mailto:hugo.etievant@xxxxxxx>
Tel : 04 72 76 61 13   -  Fax : 04 72 76 61 10

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux