Hi,

Anyone? I really need some help on this.

Thanks

On Fri, Nov 4, 2016 at 1:01 PM, Alberto Viana <albertocrj@gmail.com> wrote:

Hi,

Just to explain better what I need:

Enforce a global password policy with password expiration but disable for some specifics OUs (just disable the password expiration).

On Fri, Nov 4, 2016 at 12:54 PM, Alberto Viana <albertocrj@gmail.com> wrote:

Hi,

389-ds: 1.3.4.11

What I Need:

Enforce a global password policy but disable for some specifics OUs.

Doc: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#User_Account_Management-Managing_the_Password_Policy

Everything was working fine but I realized for that specific OU that I created a local policy started to storage user password as plaintext:

I created the local policy using the script ns-newpwpolicy.pl as below:

/opt/dirsrv/sbin/ns-newpwpolicy.pl -v -D "cn=Directory Manager" -w my_manager_pass -S OU=testing,dc=homolog,dc=rnp

 Here's my config:

nsslapd-pwpolicy-local: on (under cn=config)

Double checked using 389 console that under this OU, "Fine-grained subtree policy enabled" is set on.

ldapsearch  -b 'cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp' -D "cn=Directory Manager" -x -W '(objectclass=ldapsubentry)'

# extended LDIF

#

# LDAPv3

# base <cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp> with scope subtree

# filter: (objectclass=ldapsubentry)

# requesting: ALL

#

# cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp, nsPwPol

 icyContainer, testing, homolog.rnp

dn: cn=cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp,cn=n

 sPwPolicyContainer,OU=testing,dc=homolog,dc=rnp

passwordStorageScheme: SSHA

passwordChange: off

passwordMaxAge: 8640000

passwordExp: off

objectClass: top

objectClass: extensibleObject

objectClass: costemplate

objectClass: ldapsubentry

cosPriority: 1

cn: cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp

A user entry on this OU:

dn: uid=app-test,OU=testing,dc=homolog,dc=rnp

userPassword:: MXEydzNlNHI=

ntUserLastLogon: 131219776403276312

objectClass: top

objectClass: person

objectClass: organizationalperson

objectClass: inetOrgPerson

Am I missing something?

Thanks

Alberto Viana

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org