12:13 p.m.
After upgrading from 389 version 1.2.11.15-33.el6_5.x86_64 to
1.2.11.15-97.el6_10.x86_64, we're finding that the Directory Manager
account can bypass configured password policies and set user passwords to
anything. I believe this is now by design, but is there a configuration
file flag to revert to the previous behavior where Directory Manager needed
to conform to the password policy?
If not, how do we create a user account in 389 ldap server with rights to
check and update user password hashes, and still enforce configured
password policies?
Please advise
12:16 p.m.
New subject: help. directory manager bypassing password policies, alternatives?
Between 389 LDAP versions 1.2.11.15-33 and 1.2.11.15-97, we're finding that
the Directory Manager account can bypass configured password policies and
set user passwords to anything. I believe this is now by design, but is
there a configuration file flag to revert to the previous behavior where
Directory Manager needed to conform to the password policy?
If not, how do we create a user account in 389 ldap server with rights to
check and update user password hashes, and still enforce configured
password policies?
Please advise
12:28 p.m.
New subject: help. directory manager bypassing password policies, alternatives?
On 6/3/19 1:16 PM, Eric Freeman wrote:
Between 389 LDAP versions 1.2.11.15-33 and 1.2.11.15-97, we're finding
that the Directory Manager account can bypass configured password
policies and set user passwords to anything. I believe this is now by
design, but is there a configuration file flag to revert to the
previous behavior where Directory Manager needed to conform to the
password policy?
Sorry there is not.
If not, how do we create a user account in 389 ldap server with rights
to check and update user password hashes, and still enforce configured
password policies?
You create a new user, and you add an ACI to the suffix to allow this
user to update passwords.
Create a user, something like this
dn: uid=password update user,ou=people,dc=example,dc=com
Add "aci" to the suffix to allow this user rights to update userpassword
ldapmodify -D "cn=directory manager" -W
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "userPassword") (version 3.0; acl "Allow user to
update passwords"; allow (write) (userdn = "ldap:///uid=password update
user,ou=people,dc=example,dc=com");)
That should do it.
HTH,
Mark
Please advise
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
4:13 a.m.
New subject: directory manager bypassing password policies, alternatives?
On 3 Jun 2019, at 19:13, Eric Freeman <efreem01(a)gmail.com>
wrote:
After upgrading from 389 version 1.2.11.15-33.el6_5.x86_64 to 1.2.11.15-97.el6_10.x86_64,
we're finding that the Directory Manager account can bypass configured password
policies and set user passwords to anything. I believe this is now by design, but is there
a configuration file flag to revert to the previous behavior where Directory Manager
needed to conform to the password policy?
If not, how do we create a user account in 389 ldap server with rights to check and
update user password hashes, and still enforce configured password policies?
I would assume that you would give an account an aci that allows targetAttr userPassword
with the ability to write to them, and set the scope to an ou/subtree of some nature.
Does that help?
Please advise
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs
8:12 a.m.
New subject: directory manager bypassing password policies, alternatives?
Yes, thanks!
On Fri, Jun 7, 2019, 5:49 AM William Brown <wbrown(a)suse.de> wrote:
> On 3 Jun 2019, at 19:13, Eric Freeman <efreem01(a)gmail.com> wrote:
>
> After upgrading from 389 version 1.2.11.15-33.el6_5.x86_64 to
1.2.11.15-97.el6_10.x86_64, we're finding that the Directory Manager
account can bypass configured password policies and set user passwords to
anything. I believe this is now by design, but is there a configuration
file flag to revert to the previous behavior where Directory Manager needed
to conform to the password policy?
>
> If not, how do we create a user account in 389 ldap server with rights
to check and update user password hashes, and still enforce configured
password policies?
I would assume that you would give an account an aci that allows
targetAttr userPassword with the ability to write to them, and set the
scope to an ou/subtree of some nature.
Does that help?
>
> Please advise
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
1782
days inactive
1786
days old
389-users@lists.fedoraproject.org
4 comments
3 participants
participants (3)
-
Eric Freeman -
Mark Reynolds -
William Brown