Hi,
Just to explain better what I need:
Enforce a global password policy with password expiration but disable for
some specifics OUs (just disable the password expiration).
On Fri, Nov 4, 2016 at 12:54 PM, Alberto Viana <albertocrj(a)gmail.com> wrote:
Hi,
389-ds: 1.3.4.11
What I Need:
Enforce a global password policy but disable for some specifics OUs.
Doc:
https://access.redhat.com/documentation/en-US/Red_Hat_
Directory_Server/10/html-single/Administration_Guide/
index.html#User_Account_Management-Managing_the_Password_Policy
Everything was working fine but I realized for that specific OU that I
created a local policy started to storage user password as plaintext:
I created the local policy using the script ns-newpwpolicy.pl as below:
/opt/dirsrv/sbin/ns-newpwpolicy.pl -v -D "cn=Directory Manager" -w
my_manager_pass -S OU=testing,dc=homolog,dc=rnp
Here's my config:
nsslapd-pwpolicy-local: on (under cn=config)
Double checked using 389 console that under this OU, "Fine-grained subtree
policy enabled" is set on.
ldapsearch -b 'cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=
nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp' -D "cn=Directory
Manager" -x -W '(objectclass=ldapsubentry)'
# extended LDIF
#
# LDAPv3
# base <cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=
nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp> with scope subtree
# filter: (objectclass=ldapsubentry)
# requesting: ALL
#
# cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp, nsPwPol
icyContainer, testing, homolog.rnp
dn: cn=cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\
2Cdc\3Drnp,cn=n
sPwPolicyContainer,OU=testing,dc=homolog,dc=rnp
passwordStorageScheme: SSHA
passwordChange: off
passwordMaxAge: 8640000
passwordExp: off
objectClass: top
objectClass: extensibleObject
objectClass: costemplate
objectClass: ldapsubentry
cosPriority: 1
cn: cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp
A user entry on this OU:
dn: uid=app-test,OU=testing,dc=homolog,dc=rnp
userPassword:: MXEydzNlNHI=
ntUserLastLogon: 131219776403276312
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetOrgPerson
Am I missing something?
Thanks
Alberto Viana