Re: Password policy don't work on a subtree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hugo Etievant wrote:

hello,

I use only GUI for configuration. I do not use perl script.

The GUI does the same thing as the perl script.
I have checked the "Enable fine-grained password policy" on global Password Policy. 
And i have configured a local Password policy on a subtree.
But this second policy do not work as it should : the minimum lenght of password is ignored. 

"nsslapd-pwpolicy-local: on" appears my dse.ldif file
a ldap search show password policy but some attribut of my policy dos not appears ! 


exemple :
dn: cn="cn=nsPwPolicyEntry,ou=tests,dc=inrp, dc=fr",cn=nsPwPolicyContainer,ou= 
tests,dc=inrp,dc=fr
passwordMinDigits: 1
passwordMinAlphas: 1
passwordStorageScheme: ssha
passwordGraceLimit: 0
passwordCheckSyntax: on
passwordMinTokenLength: 2
passwordInHistory: 10
passwordChange: on
passwordWarning: 0
passwordMinAge: 0
passwordHistory: on
passwordExp: on
passwordMustChange: off
passwordMaxAge: 63072000
objectClass: ldapsubentry
objectClass: passwordpolicy
here, the "passwordMinLen" attribute does not appear, but i have enter this with GUI tool (value = "8" chars) !!!! 

this is a bug ?
i apply the same policy for global and for local subtree but i have differents LDAP entries ! 

global policy attributes :

nsslapd-security: on
nsslapd-pwpolicy-local: on
passwordMinLength: 8
passwordMinCategories: 3
passwordMinTokenLength: 2
passwordCheckSyntax: on
passwordMinAlphas: 1
passwordMinDigits: 1
passwordMaxAge: 63072000
passwordExp: on
passwordHistory: on
passwordWarning: 0
passwordInHistory: 10

local policy attributes :

passwordMinDigits: 1
passwordMinAlphas: 1
passwordStorageScheme: ssha
passwordGraceLimit: 0
passwordCheckSyntax: on
passwordMinTokenLength: 2
passwordInHistory: 10
passwordChange: on
passwordWarning: 0
passwordMinAge: 0
passwordHistory: on
passwordExp: on
passwordMustChange: off
passwordMaxAge: 63072000

here : passwordMinLen is losed !!!!!
Is passwordMinLength the only attribute you cannot set in your local password policy? Do you have this problem with any other attribute? 


=> how can i apply this rule about min length of password ?????


regards


Visolve LDAP Group a écrit :



Hi,


Hugo Étiévant,
I believe you configured the sub tree password policy through ns-newpwpolicy.pl script.
When you configure the global password policy it may override the sub tree password policy. So make sure that 'nsslapd-pwpolicy-local' is 'on' in cn=config entry of dse.ldif file to make the sub tree policy to work.
This attribute decides whether the local password policy is enabled or not. Anyways the execution of ns-newpwpolicy.pl script will turn this attribute value to 'on'.
However you cannot see any traces of sub tree Password policy attributes by searching cn=config tree or in dse.ldif file. It will show only global password policy attributes.
You can see list of applied *sub tree *password policy *attributes* by performing a search like this. 


/opt/dirsrv/bin/ldapsearch -v -h <host> -p <port> \

-D "<managerDN>" -w <passwd> -b <suffix>  *objectclass=ldapsubentry*
dn:cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolicyContainer,ou=marketing,o=abc.com 

objectClass: top

objectClass: ldapsubentry

objectClass: passwordpolicy

cn: cn=nsPwPolicyEntry,ou=marketing,o=abc.com

passwordExp: off

passwordMaxAge: 10

passwordWarning: 15

passwordGraceLimit: 1
pwdpolicysubentry: cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolic 

 yContainer,ou=marketing,o=abc.com


Regards,

ViSolve LDAP Team.


-----Original Message-----
From: fedora-directory-users-bounces@xxxxxxxxxx [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Hugo Etievant 
Sent: Wednesday, February 25, 2009 9:41 PM
To: General discussion list for the Fedora Directory server project.
Subject: Password policy don't work on a subtree 


hello,


version : Directory Server 1.1.3 on Fedora 8 64 bits plateform


When i configure a password policy on a subtree of my directory, this

policy do not works.

When i configure a global password policy, this global policy works but

ignore locals policy of subtrees.


when i look at the databases ldif backup, il do not find the

"passwordMinLength" attribute for local password policy for subtrees

but this attribut exists in dse ldif for the global policy !


how resolve this ?

<<attachment: smime.p7s>>

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux