hello,
I use only GUI for configuration. I do not use perl script.
I have checked the "Enable fine-grained password policy" on global
Password Policy.
And i have configured a local Password policy on a subtree.
But this second policy do not work as it should : the minimum lenght of
password is ignored.
"nsslapd-pwpolicy-local: on" appears my dse.ldif file
a ldap search show password policy but some attribut of my policy dos
not appears !
exemple :
dn: cn="cn=nsPwPolicyEntry,ou=tests,dc=inrp,
dc=fr",cn=nsPwPolicyContainer,ou=
tests,dc=inrp,dc=fr
passwordMinDigits: 1
passwordMinAlphas: 1
passwordStorageScheme: ssha
passwordGraceLimit: 0
passwordCheckSyntax: on
passwordMinTokenLength: 2
passwordInHistory: 10
passwordChange: on
passwordWarning: 0
passwordMinAge: 0
passwordHistory: on
passwordExp: on
passwordMustChange: off
passwordMaxAge: 63072000
objectClass: ldapsubentry
objectClass: passwordpolicy
here, the "passwordMinLen" attribute does not appear, but i have enter
this with GUI tool (value = "8" chars) !!!!
this is a bug ?
i apply the same policy for global and for local subtree but i have
differents LDAP entries !
global policy attributes :
nsslapd-security: on
nsslapd-pwpolicy-local: on
passwordMinLength: 8
passwordMinCategories: 3
passwordMinTokenLength: 2
passwordCheckSyntax: on
passwordMinAlphas: 1
passwordMinDigits: 1
passwordMaxAge: 63072000
passwordExp: on
passwordHistory: on
passwordWarning: 0
passwordInHistory: 10
local policy attributes :
passwordMinDigits: 1
passwordMinAlphas: 1
passwordStorageScheme: ssha
passwordGraceLimit: 0
passwordCheckSyntax: on
passwordMinTokenLength: 2
passwordInHistory: 10
passwordChange: on
passwordWarning: 0
passwordMinAge: 0
passwordHistory: on
passwordExp: on
passwordMustChange: off
passwordMaxAge: 63072000
here : passwordMinLen is losed !!!!!
=> how can i apply this rule about min length of password ?????
regards
Visolve LDAP Group a écrit :
Hi,
Hugo Étiévant,
I believe you configured the sub tree password policy through
ns-newpwpolicy.pl script.
When you configure the global password policy it may override the sub
tree password policy. So make sure that 'nsslapd-pwpolicy-local' is
'on' in cn=config entry of dse.ldif file to make the sub tree policy
to work.
This attribute decides whether the local password policy is enabled or
not. Anyways the execution of ns-newpwpolicy.pl script will turn this
attribute value to 'on'.
However you cannot see any traces of sub tree Password policy
attributes by searching cn=config tree or in dse.ldif file. It will
show only global password policy attributes.
You can see list of applied *sub tree *password policy *attributes* by
performing a search like this.
/opt/dirsrv/bin/ldapsearch -v -h <host> -p <port> \
-D "<managerDN>" -w <passwd> -b <suffix> *objectclass=ldapsubentry*
dn:cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolicyContainer,ou=marketing,o=abc.com
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,ou=marketing,o=abc.com
passwordExp: off
passwordMaxAge: 10
passwordWarning: 15
passwordGraceLimit: 1
pwdpolicysubentry:
cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolic
yContainer,ou=marketing,o=abc.com
Regards,
ViSolve LDAP Team.
-----Original Message-----
From: fedora-directory-users-bounces@xxxxxxxxxx
[mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Hugo
Etievant
Sent: Wednesday, February 25, 2009 9:41 PM
To: General discussion list for the Fedora Directory server project.
Subject: Password policy don't work on a subtree
hello,
version : Directory Server 1.1.3 on Fedora 8 64 bits plateform
When i configure a password policy on a subtree of my directory, this
policy do not works.
When i configure a global password policy, this global policy works but
ignore locals policy of subtrees.
when i look at the databases ldif backup, il do not find the
"passwordMinLength" attribute for local password policy for subtrees
but this attribut exists in dse ldif for the global policy !
how resolve this ?
--
* Hugo Étiévant *
*Bibliothèque Denis Diderot
Coordinateur informatique du Projet SID (Système d'Information
Documentaire)*
hugo.etievant@xxxxxxx <mailto:hugo.etievant@xxxxxxx>
Tel : 04 72 76 61 13 - Fax : 04 72 76 61 10
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
