On 09/26/2018 03:51 PM, Alberto Viana wrote:
> Hi Mark,
>
> I already have this configuration but stopped to working after I
> enabled my password policy. Another thing is the error changed, its
> not the same when was missing prehashed config and my password was
> set to off.
When you turn syntax checking on then Password Admin functionally
breaks, correct? If so, it sounds like a bug then. Please file a
ticket with the exact steps to reproduce the problem.
Actually I think you need to
set (again) psswordAdminDN in each subtree
policy. Please try this and let me know if it works.
Thanks,
Mark
https://pagure.io/389-ds-base/new_issue
Thanks,
Mark
>
> On Wed, Sep 26, 2018, 16:47 Mark Reynolds <mreynolds(a)redhat.com
> <mailto:mreynolds@redhat.com>> wrote:
>
> Hi Alberto,
>
> Only Directory Manager or a Password Admin can add pre-hashed
> passwords. It has nothing to do with password policy settings.
> For more on password admins see:
>
>
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10...
>
> HTH,
>
> Mark
>
>
> On 09/26/2018 02:31 PM, Alberto Viana wrote:
>> I have a password applied globally like this:
>>
>> dn:
>> cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc=
>> my,dc=domain
>> passwordLockout: off
>> passwordGraceLimit: 50
>> passwordWarning: 86400
>> passwordInHistory: 3
>> passwordMinLength: 8
>> passwordMinCategories: 3
>> passwordStorageScheme: SSHA512
>> passwordChange: on
>> passwordMaxAge: 31536000
>> passwordCheckSyntax: on
>> passwordExp: on
>> objectClass: top
>> objectClass: ldapsubentry
>> objectClass: passwordpolicy
>> cn: cn=nsPwPolicyEntry,DC=my,DC=domain
>>
>> In a sub OU, I have this policy:
>>
>> #
>> cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3
>> Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain
>> dn:
>> cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\
>>
2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain
>> passwordLockout: off
>> passwordGraceLimit: 50
>> passwordStorageScheme: SSHA
>> passwordChange: on
>> passwordMaxAge: 31536000
>> passwordCheckSyntax: off
>> passwordExp: off
>> objectClass: top
>> objectClass: ldapsubentry
>> objectClass: passwordpolicy
>> cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain
>>
>> But when I try to add a prehashed password on this sub OU, I see
>> this kind of error:
>> LDAP: error code 19 - invalid password syntax - passwords with
>> storage scheme are not allowed
>>
>> Is this an expected behavior even if in sub OU I have an
>> password policy with passwordCheckSyntax set to off? If so, do I
>> have any way to disable this behavior? (but I can not disable my
>> global password policy)
>>
>> PS: The password policy is respecting the fact of
>> passwordCheckSyntax is set to off when I try to add a simple
>> password like '1234'.
>>
>>
>> _______________________________________________
>> 389-users mailing list --389-users(a)lists.fedoraproject.org
>> <mailto:389-users@lists.fedoraproject.org>
>> To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org
>> <mailto:389-users-leave@lists.fedoraproject.org>
>> Fedora Code of
Conduct:https://getfedora.org/code-of-conduct.html
>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List
Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe...
>
>
>
> _______________________________________________
> 389-users mailing list --389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org
> Fedora Code of
Conduct:https://getfedora.org/code-of-conduct.html
> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
> List
Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe...
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...