Either I'm missing something or password policies just don't work in Redhat (CentOS) directory 8.2.8.
I started by creating a subtree policy on the command line:
# ./ns-newpwpolicy.pl -D cn=directory\ manager -w pass -h localhost -S ou=students,dc=domain,dc=org
adding new entry cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org
adding new entry cn=cn=nsPwPolicyEntry\,ou=students\,dc=domain\,dc=org,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org
adding new entry cn=cn=nsPwTemplateEntry\,ou=students\,dc=domain\,dc=org,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org
adding new entry cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org
modifying entry cn=config
The following were created:
dn: cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org
objectClass: top
objectClass: nsContainer
cn: nsPwPolicyContainer
dn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyC
ontainer,ou=students,dc=domain,dc=org
objectClass: top
objectClass: extensibleObject
objectClass: costemplate
objectClass: ldapsubentry
cosPriority: 1
cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org
dn: cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org
objectClass: top
objectClass: LDAPsubentry
objectClass: cosSuperDefinition
objectClass: cosPointerDefinition
costemplatedn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=
nsPwPolicyContainer,ou=students,dc=domain,dc=org
cosAttribute: pwdpolicysubentry default operational-default
cn: nsPwPolicy_cos
dn: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon
tainer,ou=students,dc=domain,dc=org
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org
I added the policy attributes we're interested in:
dn: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon
tainer,ou=students,dc=domain,dc=org
passwordResetFailureCount: 600
passwordMaxFailure: 10
passwordLockout: on
passwordMinLength: 6
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org
I then tried 11 ldapsearches as a user under ou=students,dc=domain,dc=org and the account was not locked out.
I then checked the console and the settings weren't there. I set them and it added two additional entries:
dn: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsPwP
olicyContainer,ou=students,dc=domain,dc=org
passwordMaxFailure: 10
passwordResetFailureCount: 600
passwordLockout: on
passwordStorageScheme: ssha
passwordCheckSyntax: on
passwordChange: off
passwordMinAge: 0
passwordExp: off
passwordMustChange: off
passwordMinLength: 6
objectClass: ldapsubentry
objectClass: passwordpolicy
objectClass: top
cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org
dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP
wPolicyContainer,ou=students,dc=domain,dc=org
objectClass: extensibleObject
objectClass: costemplate
objectClass: ldapsubentry
objectClass: top
cosPriority: 1
cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org
However I still can't force a user to be locked out.
I did set passwordIsGlobalPolicy to on under cn=config though as far as I can tell that only affects replication of password policies.
Am I missing something?
thanks,
-morgan