Mark,
I updated to 1.3.5.14 version and realized that:
- If I create the subtree policy using ns-newpwpolicy.pl
<
http://ns-newpwpolicy.pl>, 389 starts to storage userpassword as
plaintext (the other things as disable password expiration works
fine), to this specific subtree
- If I create the subtree policty using 389-console, everything works
fine.
Analysing the nsPwPolicyContainer and nsPwTemplateEntry created by
both methods I could not find any difference.
The exactly same thing happens on 1.3.4.11, so is that a script problem?
If the
console works, but the script fails then there is something funny
with the script. So please file a ticket with the exact steps to
reproduce the problem, and your initial analysis:
Should I file a ticket anyway?
Thanks
Alberto Viana
On Wed, Nov 16, 2016 at 10:24 AM, Mark Reynolds <mareynol(a)redhat.com
<mailto:mareynol@redhat.com>> wrote:
On 11/16/2016 07:06 AM, Alberto Viana wrote:
> Hi,
>
> Anyone? I really need some help on this.
All you should need to do is setup a subtree policy on those OU's,
and those should override the global policy.
There was bug, that I can not seem to find anymore, where this was
not working: Subtree policy was not overriding the global policy.
It was fixed, but I don't know if the version of 389 that you have
has that fix or not. Make sure you are on the latest version of
389 that your platform supports.
If this does not work please file a ticket with the exact steps to
reproduce the problem:
https://fedorahosted.org/389/newticket
<
https://fedorahosted.org/389/newticket>
Regards,
Mark
> Thanks
>
> On Fri, Nov 4, 2016 at 1:01 PM, Alberto Viana
> <albertocrj(a)gmail.com <mailto:albertocrj@gmail.com>> wrote:
>
> Hi,
>
> Just to explain better what I need:
>
> Enforce a global password policy with password expiration but
> disable for some specifics OUs (just disable the password
> expiration).
>
>
>
>
> On Fri, Nov 4, 2016 at 12:54 PM, Alberto Viana
> <albertocrj(a)gmail.com <mailto:albertocrj@gmail.com>> wrote:
>
> Hi,
>
> 389-ds: 1.3.4.11
>
> What I Need:
>
> Enforce a global password policy but disable for some
> specifics OUs.
>
> Doc:
>
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10...
>
<
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10...
>
> Everything was working fine but I realized for that
> specific OU that I created a local policy started to
> storage user password as plaintext:
>
> I created the local policy using the script
> ns-newpwpolicy.pl <
http://ns-newpwpolicy.pl> as below:
>
> /opt/dirsrv/sbin/ns-newpwpolicy.pl
> <
http://ns-newpwpolicy.pl> -v -D "cn=Directory Manager"
> -w my_manager_pass -S OU=testing,dc=homolog,dc=rnp
>
> Here's my config:
>
> nsslapd-pwpolicy-local: on (under cn=config)
>
> Double checked using 389 console that under this OU,
> "Fine-grained subtree policy enabled" is set on.
>
>
> ldapsearch -b
>
'cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp'
> -D "cn=Directory Manager" -x -W
'(objectclass=ldapsubentry)'
> # extended LDIF
> #
> # LDAPv3
> # base
>
<cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp>
> with scope subtree
> # filter: (objectclass=ldapsubentry)
> # requesting: ALL
> #
>
> #
> cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp,
> nsPwPol
> icyContainer, testing, homolog.rnp
> dn:
> cn=cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp,cn=n
> sPwPolicyContainer,OU=testing,dc=homolog,dc=rnp
> passwordStorageScheme: SSHA
> passwordChange: off
> passwordMaxAge: 8640000
> passwordExp: off
> objectClass: top
> objectClass: extensibleObject
> objectClass: costemplate
> objectClass: ldapsubentry
> cosPriority: 1
> cn: cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp
>
>
>
> A user entry on this OU:
>
> dn: uid=app-test,OU=testing,dc=homolog,dc=rnp
> userPassword:: MXEydzNlNHI=
> ntUserLastLogon: 131219776403276312
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetOrgPerson
>
>
> Am I missing something?
>
> Thanks
>
> Alberto Viana
>
>
>
>
>
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>
_______________________________________________ 389-users mailing
list -- 389-users(a)lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org> To unsubscribe send an
email to 389-users-leave(a)lists.fedoraproject.org
<mailto:389-users-leave@lists.fedoraproject.org>
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org