Juan Carlos,
Yes, CoS can help. I had a similar problem and resolved it by using roles and CoS. More
precisely, I used a filtered role and then assigned the same password policy to all role
members (belonging to different groups) by using so called classic type CoS.
However, I had to assign the password policy by command line not through 389 console.
Role dn may be something like this:
dn: cn=roleName,ou=people,dc=example,dc=com
cn: roleName
nsrolefilter: ou=UniquePolicyRole
objectclass: top
objectclass: ldapsubentry
objectclass: nsroledefinition
objectclass: nscomplexroledefinition
objectclass: nsfilteredroledefinition
So when an entry matches the role filter criteria it gets nsRole attribute that has a
value of a kind : cn=roleName,ou=people,dc=example,dc=com…
Classic CoS implementation looks a bit tricky:
CoS definiton entry:
dn: CoSDefinitionRDN,ou=people,dc=example,dc=com
cosspecifier: nsRole
cosTemplateDN: CoSDefinitionRDN,ou=people,dc=example,dc=com
cosattribute: pwdPolicySubentry default operational-default
objectclass: top
objectclass: ldapsubentry
objectclass: cossuperdefinition
objectclass: cosClassicDefinition
CoS template entry:
dn: CosTemplateRDN,CoSDefinitionRD,ou=people,dc=example,dc=com
pwdpolicysubentry: PwdPolicyRDN,cn=PwdPolicies,ou=people,dc=example,dc=com
cospriority: n // see more on CoS priorities. The purpose is to
always have exactly one password policy i.e. pwdPolicySubentry attribute active, even if
your entry is eligible for a few of
// them.
objectclass: top
objectclass: costemplate
objectclass: extensibleobject
objectclass: ldapsubentry
As a result, an entry belonging to roleName role would have pwdpolicysubentry with a value
of “dn:PwdPolicyRDN,cn=PwdPolicies,ou=people,dc=example,dc=com”
I hope this helps.
Jovan
Jovan Vukotić • Senior Software Engineer • Ambit Treasury Management • SunGard • Banking •
Bulevar Milutina Milankovića 136b, Belgrade, Serbia • tel: +381.11.6555-66-1 •
jovan.vukotic@sungard.com<mailto:jovan.vukotic@sungard.com>
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Juan Carlos Camargo
Sent: Thursday, August 29, 2013 2:13 PM
To: General discussion list for the 389 Directory server project.
Subject: [389-users] Password policy applied to a group
389ds'ers,
I'm struggling to find the best way to apply a password policy only to members of a
group, the rest having either the global or user/local policy. I have a number of users
whose password should never expire , but those users live in different OU's, dont even
share a parent branch. Do you think a CoS might help? Which do you think would be the best
way to implement this?
Thanks!
--
[cid:image001.gif@01CEA4CA.13325DA0]
Juan Carlos Camargo Carrillo.
@jcarloscamargo
957-211157 , 650932877