Hi List I am searching for some documentation for ns-newpolicy.pl file , as per RH Doc I can use that script to add the attribute : pwdUpdateTime to each uid entry after I already cfg in DS Password TrackUpdateTime and pwdpolicy- inherit -global to 'on'; Thank you Isabella
On 9/17/21 4:46 PM, Ghiurea, Isabella wrote:
Hi List
I am searching for some documentation for ns-newpolicy.pl file , as per RH Doc I can use that script to add the attribute : pwdUpdateTime to each uid entry after I already cfg in DS Password TrackUpdateTime and pwdpolicy- inherit -global to ‘on’;
The only docs we have are the official Red Hat docs. Here's a recap...
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
This will start to add "pwdUpdateTime" to entries /after/ they change their passwords, but it does not automatically add it to all existing entries. They must change their passwords after enabling this setting for pwdUpdateTime to be set.
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
This setting is only used if you are using local password policies (subtree/user policies). It means it will check the global policy settings AND the local policy settings. Otherwise only the local policy is applied.
HTH, Mark
Thank you
Isabella
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Thank you, so the steps to have this attribute cfg and with set value for each user are :
- In DS cfg add attriute PasswordTrackUpddateTime to on, nsslapd-policy-local to on and nsslapd-pwpolicy-inherit -global to on
- Have users chage their passwd
- The uid entries wtill display the new attribute :PasswordTrackUpdateTime with time stamp value Is this sufficient to have this attribute populate for each DS entry ?
Do I still need to run this ns-newpolicy.pl script ? If affirmative, I would like to learn when and what arguments must provide at run time ?
Isabella
-
From: Mark Reynolds [mailto:mreynolds@redhat.com] Sent: September 20, 2021 6:01 AM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org; Ghiurea, Isabella Isabella.Ghiurea@nrc-cnrc.gc.ca Subject: Re: [389-users] ns-newpolicy/pl documentation/use case
***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC
On 9/17/21 4:46 PM, Ghiurea, Isabella wrote: Hi List I am searching for some documentation for ns-newpolicy.pl file , as per RH Doc I can use that script to add the attribute : pwdUpdateTime to each uid entry after I already cfg in DS Password TrackUpdateTime and pwdpolicy- inherit -global to 'on';
The only docs we have are the official Red Hat docs. Here's a recap...
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
This will start to add "pwdUpdateTime" to entries after they change their passwords, but it does not automatically add it to all existing entries. They must change their passwords after enabling this setting for pwdUpdateTime to be set.
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
This setting is only used if you are using local password policies (subtree/user policies). It means it will check the global policy settings AND the local policy settings. Otherwise only the local policy is applied.
HTH, Mark Thank you Isabella
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.orgmailto:389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
On 9/20/21 11:32 AM, Ghiurea, Isabella wrote:
Thank you, so the steps to have this attribute cfg and with set value for each user are :
-In DS cfg add attriute PasswordTrackUpddateTime to on, nsslapd-policy-local to on and nsslapd-pwpolicy-inherit –global to on
-Have users chage their passwd
-The uid entries wtill display the new attribute :PasswordTrackUpdateTime with time stamp value
Is this sufficient to have this attribute populate for each DS entry ?
Do I still need to run this ns-newpolicy.pl script ?
Do you really need a local subtree policy? If the password policy you want to use will apply to all your users then you can simplify all of this. Just set passwordTrackUpdateTime to "on". That's it.
If affirmative, I would like to learn when and what arguments must provide at run time ?
Sorry, I'm not sure what you are asking here...
Mark
Isabella
*From:*Mark Reynolds [mailto:mreynolds@redhat.com] *Sent:* September 20, 2021 6:01 AM *To:* General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org; Ghiurea, Isabella Isabella.Ghiurea@nrc-cnrc.gc.ca *Subject:* Re: [389-users] ns-newpolicy/pl documentation/use case
/***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC/
On 9/17/21 4:46 PM, Ghiurea, Isabella wrote:
Hi List I am searching for some documentation for ns-newpolicy.pl file , as per RH Doc I can use that script to add the attribute : pwdUpdateTime to each uid entry after I already cfg in DS Password TrackUpdateTime and pwdpolicy- inherit -global to ‘on’;
The only docs we have are the official Red Hat docs. Here's a recap...
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht... https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-passwordTrackUpdateTime
This will start to add "pwdUpdateTime" to entries /after/ they change their passwords, but it does not automatically add it to all existing entries. They must change their passwords after enabling this setting for pwdUpdateTime to be set.
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht... https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-nsslapd_pwpolicy_inherit_global_Inherit_Global_Password_Policy
This setting is only used if you are using local password policies (subtree/user policies). It means it will check the global policy settings AND the local policy settings. Otherwise only the local policy is applied.
HTH, Mark
Thank you Isabella _______________________________________________ 389-users mailing list --389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> To unsubscribe send an email to389-users-leave@lists.fedoraproject.org <mailto:389-users-leave@lists.fedoraproject.org> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines> List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org <https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org> Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure <https://pagure.io/fedora-infrastructure>
-- Directory Server Development Team
From: Ghiurea, Isabella Sent: September 20, 2021 3:32 PM To: 'Mark Reynolds' mreynolds@redhat.com; General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Subject: RE: [389-users] ns-newpolicy/pl documentation/use case
I cfg the DS see the dse,ldif, next reboot the server and update a user passwd with ldappasswd, I am not able to see passwordTrackUpdateTime in user entry.
nsslapd-pwpolicy-inherit-global: on nsslapd-pwpolicy-local: on passwordTrackUpdateTime: on
running 389-ds-base-1.3.9
I tried with nsslapd-pwpolicy-local: off and nsslapd-pwpolicy-inherit-global: on and passwordTrackUpdateTime: on and still same result. Please , what I am missing from this cfg ? Thank you!
From: Mark Reynolds [mailto:mreynolds@redhat.com] Sent: September 20, 2021 2:00 PM To: Ghiurea, Isabella <Isabella.Ghiurea@nrc-cnrc.gc.camailto:Isabella.Ghiurea@nrc-cnrc.gc.ca>; General discussion list for the 389 Directory server project. <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] ns-newpolicy/pl documentation/use case
***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC
On 9/20/21 11:32 AM, Ghiurea, Isabella wrote: Thank you, so the steps to have this attribute cfg and with set value for each user are :
1. In DS cfg add attriute PasswordTrackUpddateTime to on, nsslapd-policy-local to on and nsslapd-pwpolicy-inherit -global to on
2. Have users chage their passwd
3. The uid entries wtill display the new attribute :PasswordTrackUpdateTime with time stamp value Is this sufficient to have this attribute populate for each DS entry ?
Do I still need to run this ns-newpolicy.pl script ?
Do you really need a local subtree policy? If the password policy you want to use will apply to all your users then you can simplify all of this. Just set passwordTrackUpdateTime to "on". That's it. If affirmative, I would like to learn when and what arguments must provide at run time ?
Sorry, I'm not sure what you are asking here...
Mark
Isabella
4.
From: Mark Reynolds [mailto:mreynolds@redhat.com] Sent: September 20, 2021 6:01 AM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org; Ghiurea, Isabella Isabella.Ghiurea@nrc-cnrc.gc.camailto:Isabella.Ghiurea@nrc-cnrc.gc.ca Subject: Re: [389-users] ns-newpolicy/pl documentation/use case
***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC
On 9/17/21 4:46 PM, Ghiurea, Isabella wrote: Hi List I am searching for some documentation for ns-newpolicy.pl file , as per RH Doc I can use that script to add the attribute : pwdUpdateTime to each uid entry after I already cfg in DS Password TrackUpdateTime and pwdpolicy- inherit -global to 'on';
The only docs we have are the official Red Hat docs. Here's a recap...
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
This will start to add "pwdUpdateTime" to entries after they change their passwords, but it does not automatically add it to all existing entries. They must change their passwords after enabling this setting for pwdUpdateTime to be set.
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
This setting is only used if you are using local password policies (subtree/user policies). It means it will check the global policy settings AND the local policy settings. Otherwise only the local policy is applied.
HTH, Mark Thank you Isabella
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.orgmailto:389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
--
Directory Server Development Team
On 9/20/21 6:36 PM, Ghiurea, Isabella wrote:
*From:*Ghiurea, Isabella *Sent:* September 20, 2021 3:32 PM *To:* 'Mark Reynolds' mreynolds@redhat.com; General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org *Subject:* RE: [389-users] ns-newpolicy/pl documentation/use case
I cfg the DS see the dse,ldif, next reboot the server and update a user passwd with ldappasswd, I am not able to see passwordTrackUpdateTime in user entry.
nsslapd-pwpolicy-inherit-global: on
nsslapd-pwpolicy-local: on
passwordTrackUpdateTime: on
running 389-ds-base-1.3.9
I tried with nsslapd-pwpolicy-local: off and
nsslapd-pwpolicy-inherit-global: on and
passwordTrackUpdateTime: on
and still same result.
Please , what I am missing from this cfg ?
I have no idea, all I did was set passwordTrackUpdateTime to on, and then I changed a user's password. That is it. No other configuration changes are needed. After that I saw this in the audit log:
dn: uid=demo_user,ou=people,dc=example,dc=com changetype: modify replace: pwdUpdateTime pwdUpdateTime: 20210920205730Z
Now pwdUpdateTime is an operational attribute, so if you want to confirm it was written by doing a search, then the search must request that attribute (or else it is not returned to the client):
# ldapsearch -D "..." -W -b dc=example,dc=com uid=demo_user pwdUpdateTime
Mark
Thank you!
*From:*Mark Reynolds [mailto:mreynolds@redhat.com mailto:mreynolds@redhat.com] *Sent:* September 20, 2021 2:00 PM *To:* Ghiurea, Isabella <Isabella.Ghiurea@nrc-cnrc.gc.ca mailto:Isabella.Ghiurea@nrc-cnrc.gc.ca>; General discussion list for the 389 Directory server project. <389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org> *Subject:* Re: [389-users] ns-newpolicy/pl documentation/use case
/***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC/
On 9/20/21 11:32 AM, Ghiurea, Isabella wrote:
Thank you, so the steps to have this attribute cfg and with set value for each user are : 1.In DS cfg add attriute PasswordTrackUpddateTime to on, nsslapd-policy-local to on and nsslapd-pwpolicy-inherit –global to on 2.Have users chage their passwd 3.The uid entries wtill display the new attribute :PasswordTrackUpdateTime with time stamp value Is this sufficient to have this attribute populate for each DS entry ? Do I still need to run this ns-newpolicy.pl script ?
Do you really need a local subtree policy? If the password policy you want to use will apply to all your users then you can simplify all of this. Just set passwordTrackUpdateTime to "on". That's it.
If affirmative, I would like to learn when and what arguments must provide at run time ?
Sorry, I'm not sure what you are asking here...
Mark
Isabella 4. *From:*Mark Reynolds [mailto:mreynolds@redhat.com <mailto:mreynolds@redhat.com>] *Sent:* September 20, 2021 6:01 AM *To:* General discussion list for the 389 Directory server project. <389-users@lists.fedoraproject.org> <mailto:389-users@lists.fedoraproject.org>; Ghiurea, Isabella <Isabella.Ghiurea@nrc-cnrc.gc.ca> <mailto:Isabella.Ghiurea@nrc-cnrc.gc.ca> *Subject:* Re: [389-users] ns-newpolicy/pl documentation/use case /***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC/ On 9/17/21 4:46 PM, Ghiurea, Isabella wrote: Hi List I am searching for some documentation for ns-newpolicy.pl file , as per RH Doc I can use that script to add the attribute : pwdUpdateTime to each uid entry after I already cfg in DS Password TrackUpdateTime and pwdpolicy- inherit -global to ‘on’; The only docs we have are the official Red Hat docs. Here's a recap... https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-passwordTrackUpdateTime <https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-passwordTrackUpdateTime> This will start to add "pwdUpdateTime" to entries /after/ they change their passwords, but it does not automatically add it to all existing entries. They must change their passwords after enabling this setting for pwdUpdateTime to be set. https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-nsslapd_pwpolicy_inherit_global_Inherit_Global_Password_Policy <https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-nsslapd_pwpolicy_inherit_global_Inherit_Global_Password_Policy> This setting is only used if you are using local password policies (subtree/user policies). It means it will check the global policy settings AND the local policy settings. Otherwise only the local policy is applied. HTH, Mark Thank you Isabella _______________________________________________ 389-users mailing list --389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> To unsubscribe send an email to389-users-leave@lists.fedoraproject.org <mailto:389-users-leave@lists.fedoraproject.org> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines> List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org <https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org> Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure <https://pagure.io/fedora-infrastructure> -- Directory Server Development Team
-- Directory Server Development Team
389-users@lists.fedoraproject.org