All you should need to do is setup a subtree policy on those OU's, and those should override the global policy.Hi,
Anyone? I really need some help on this.
Thanks
On Fri, Nov 4, 2016 at 1:01 PM, Alberto Viana <albertocrj@gmail.com> wrote:
Hi,
Just to explain better what I need:
Enforce a global password policy with password expiration but disable for some specifics OUs (just disable the password expiration).
On Fri, Nov 4, 2016 at 12:54 PM, Alberto Viana <albertocrj@gmail.com> wrote:
Hi,
389-ds: 1.3.4.11
What I Need:
Enforce a global password policy but disable for some specifics OUs.
Everything was working fine but I realized for that specific OU that I created a local policy started to storage user password as plaintext:
I created the local policy using the script ns-newpwpolicy.pl as below:
/opt/dirsrv/sbin/ns-newpwpolicy.pl -v -D "cn=Directory Manager" -w my_manager_pass -S OU=testing,dc=homolog,dc=rnp
Here's my config:
nsslapd-pwpolicy-local: on (under cn=config)
Double checked using 389 console that under this OU, "Fine-grained subtree policy enabled" is set on.
ldapsearch -b 'cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=n sPwPolicyContainer,OU=testing, dc=homolog,dc=rnp' -D "cn=Directory Manager" -x -W '(objectclass=ldapsubentry)' # extended LDIF## LDAPv3# base <cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=n sPwPolicyContainer,OU=testing, dc=homolog,dc=rnp> with scope subtree # filter: (objectclass=ldapsubentry)# requesting: ALL#
# cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3D rnp, nsPwPol icyContainer, testing, homolog.rnpdn: cn=cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc \3Drnp,cn=n sPwPolicyContainer,OU=testing,dc=homolog,dc=rnp passwordStorageScheme: SSHApasswordChange: offpasswordMaxAge: 8640000passwordExp: offobjectClass: topobjectClass: extensibleObjectobjectClass: costemplateobjectClass: ldapsubentrycosPriority: 1cn: cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp
A user entry on this OU:
dn: uid=app-test,OU=testing,dc=homolog,dc=rnp userPassword:: MXEydzNlNHI=ntUserLastLogon: 131219776403276312objectClass: topobjectClass: personobjectClass: organizationalpersonobjectClass: inetOrgPerson
Am I missing something?
Thanks
Alberto Viana
_______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org