Thanks.
On Fri, Nov 18, 2016 at 5:14 PM, Mark Reynolds <mareynol(a)redhat.com
<mailto:mareynol@redhat.com>> wrote:
On 11/18/2016 01:39 PM, Alberto Viana wrote:
> Mark,
>
> I updated to 1.3.5.14 version and realized that:
>
> - If I create the subtree policy using ns-newpwpolicy.pl
> <
http://ns-newpwpolicy.pl>, 389 starts to storage userpassword as
> plaintext (the other things as disable password expiration works
> fine), to this specific subtree
>
> - If I create the subtree policty using 389-console, everything
> works fine.
>
> Analysing the nsPwPolicyContainer and nsPwTemplateEntry created
> by both methods I could not find any difference.
>
> The exactly same thing happens on 1.3.4.11, so is that a script
> problem?
If the console works, but the script fails then there is something
funny with the script. So please file a ticket with the exact
steps to reproduce the problem, and your initial analysis:
https://fedorahosted.org/389/newticket
<
https://fedorahosted.org/389/newticket>
Thanks!
Mark
>
> Should I file a ticket anyway?
>
> Thanks
>
> Alberto Viana
>
> On Wed, Nov 16, 2016 at 10:24 AM, Mark Reynolds
> <mareynol(a)redhat.com <mailto:mareynol@redhat.com>> wrote:
>
>
>
> On 11/16/2016 07:06 AM, Alberto Viana wrote:
>> Hi,
>>
>> Anyone? I really need some help on this.
> All you should need to do is setup a subtree policy on those
> OU's, and those should override the global policy.
>
> There was bug, that I can not seem to find anymore, where
> this was not working: Subtree policy was not overriding the
> global policy. It was fixed, but I don't know if the version
> of 389 that you have has that fix or not. Make sure you are
> on the latest version of 389 that your platform supports.
>
> If this does not work please file a ticket with the exact
> steps to reproduce the problem:
>
>
https://fedorahosted.org/389/newticket
> <
https://fedorahosted.org/389/newticket>
>
> Regards,
> Mark
>
>
>> Thanks
>>
>> On Fri, Nov 4, 2016 at 1:01 PM, Alberto Viana
>> <albertocrj(a)gmail.com <mailto:albertocrj@gmail.com>> wrote:
>>
>> Hi,
>>
>> Just to explain better what I need:
>>
>> Enforce a global password policy with password
>> expiration but disable for some specifics OUs (just
>> disable the password expiration).
>>
>>
>>
>>
>> On Fri, Nov 4, 2016 at 12:54 PM, Alberto Viana
>> <albertocrj(a)gmail.com <mailto:albertocrj@gmail.com>>
wrote:
>>
>> Hi,
>>
>> 389-ds: 1.3.4.11
>>
>> What I Need:
>>
>> Enforce a global password policy but disable for
>> some specifics OUs.
>>
>> Doc:
>>
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10...
>>
<
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10...
>>
>> Everything was working fine but I realized for that
>> specific OU that I created a local policy started to
>> storage user password as plaintext:
>>
>> I created the local policy using the script
>> ns-newpwpolicy.pl <
http://ns-newpwpolicy.pl> as below:
>>
>> /opt/dirsrv/sbin/ns-newpwpolicy.pl
>> <
http://ns-newpwpolicy.pl> -v -D "cn=Directory
>> Manager" -w my_manager_pass -S
>> OU=testing,dc=homolog,dc=rnp
>>
>> Here's my config:
>>
>> nsslapd-pwpolicy-local: on (under cn=config)
>>
>> Double checked using 389 console that under this OU,
>> "Fine-grained subtree policy enabled" is set on.
>>
>>
>> ldapsearch -b
>>
'cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp'
>> -D "cn=Directory Manager" -x -W
>> '(objectclass=ldapsubentry)'
>> # extended LDIF
>> #
>> # LDAPv3
>> # base
>>
<cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp>
>> with scope subtree
>> # filter: (objectclass=ldapsubentry)
>> # requesting: ALL
>> #
>>
>> #
>> cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp,
>> nsPwPol
>> icyContainer, testing, homolog.rnp
>> dn:
>>
cn=cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp,cn=n
>> sPwPolicyContainer,OU=testing,dc=homolog,dc=rnp
>> passwordStorageScheme: SSHA
>> passwordChange: off
>> passwordMaxAge: 8640000
>> passwordExp: off
>> objectClass: top
>> objectClass: extensibleObject
>> objectClass: costemplate
>> objectClass: ldapsubentry
>> cosPriority: 1
>> cn: cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp
>>
>>
>>
>> A user entry on this OU:
>>
>> dn: uid=app-test,OU=testing,dc=homolog,dc=rnp
>> userPassword:: MXEydzNlNHI=
>> ntUserLastLogon: 131219776403276312
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalperson
>> objectClass: inetOrgPerson
>>
>>
>> Am I missing something?
>>
>> Thanks
>>
>> Alberto Viana
>>
>>
>>
>>
>>
>> _______________________________________________
>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
>> <mailto:389-users@lists.fedoraproject.org>
>> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
>> <mailto:389-users-leave@lists.fedoraproject.org>
> _______________________________________________ 389-users
> mailing list -- 389-users(a)lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org> To unsubscribe
> send an email to 389-users-leave(a)lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>
>
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>
_______________________________________________ 389-users mailing
list -- 389-users(a)lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org> To unsubscribe send an
email to 389-users-leave(a)lists.fedoraproject.org
<mailto:389-users-leave@lists.fedoraproject.org>
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org