hello,
version : Directory Server 1.1.3 on Fedora 8 64 bits plateform
When i configure a password policy on a subtree of my directory, this policy do not works. When i configure a global password policy, this global policy works but ignore locals policy of subtrees.
when i look at the databases ldif backup, il do not find the "passwordMinLength" attribute for local password policy for subtrees but this attribut exists in dse ldif for the global policy !
how resolve this ?
regards
Hi,
Hugo Étiévant,
I believe you configured the sub tree password policy through ns-newpwpolicy.pl script.
When you configure the global password policy it may override the sub tree password policy. So make sure that 'nsslapd-pwpolicy-local' is 'on' in cn=config entry of dse.ldif file to make the sub tree policy to work.
This attribute decides whether the local password policy is enabled or not. Anyways the execution of ns-newpwpolicy.pl script will turn this attribute value to 'on'.
However you cannot see any traces of sub tree Password policy attributes by searching cn=config tree or in dse.ldif file. It will show only global password policy attributes.
You can see list of applied sub tree password policy attributes by performing a search like this.
/opt/dirsrv/bin/ldapsearch -v -h <host> -p <port> \
-D "<managerDN>" -w <passwd> -b <suffix> objectclass=ldapsubentry
dn:cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolicyContainer,ou= marketing,o=abc.com
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,ou=marketing,o=abc.com
passwordExp: off
passwordMaxAge: 10
passwordWarning: 15
passwordGraceLimit: 1
pwdpolicysubentry: cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolic
yContainer,ou=marketing,o=abc.com
Regards,
ViSolve LDAP Team.
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Hugo Etievant Sent: Wednesday, February 25, 2009 9:41 PM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Password policy don't work on a subtree
hello,
version : Directory Server 1.1.3 on Fedora 8 64 bits plateform
When i configure a password policy on a subtree of my directory, this
policy do not works.
When i configure a global password policy, this global policy works but
ignore locals policy of subtrees.
when i look at the databases ldif backup, il do not find the
"passwordMinLength" attribute for local password policy for subtrees
but this attribut exists in dse ldif for the global policy !
how resolve this ?
regards
hello,
I use only GUI for configuration. I do not use perl script.
I have checked the "Enable fine-grained password policy" on global Password Policy. And i have configured a local Password policy on a subtree. But this second policy do not work as it should : the minimum lenght of password is ignored.
"nsslapd-pwpolicy-local: on" appears my dse.ldif file
a ldap search show password policy but some attribut of my policy dos not appears !
exemple : dn: cn="cn=nsPwPolicyEntry,ou=tests,dc=inrp, dc=fr",cn=nsPwPolicyContainer,ou= tests,dc=inrp,dc=fr passwordMinDigits: 1 passwordMinAlphas: 1 passwordStorageScheme: ssha passwordGraceLimit: 0 passwordCheckSyntax: on passwordMinTokenLength: 2 passwordInHistory: 10 passwordChange: on passwordWarning: 0 passwordMinAge: 0 passwordHistory: on passwordExp: on passwordMustChange: off passwordMaxAge: 63072000 objectClass: ldapsubentry objectClass: passwordpolicy
here, the "passwordMinLen" attribute does not appear, but i have enter this with GUI tool (value = "8" chars) !!!!
this is a bug ?
i apply the same policy for global and for local subtree but i have differents LDAP entries !
global policy attributes :
nsslapd-security: on nsslapd-pwpolicy-local: on passwordMinLength: 8 passwordMinCategories: 3 passwordMinTokenLength: 2 passwordCheckSyntax: on passwordMinAlphas: 1 passwordMinDigits: 1 passwordMaxAge: 63072000 passwordExp: on passwordHistory: on passwordWarning: 0 passwordInHistory: 10
local policy attributes :
passwordMinDigits: 1 passwordMinAlphas: 1 passwordStorageScheme: ssha passwordGraceLimit: 0 passwordCheckSyntax: on passwordMinTokenLength: 2 passwordInHistory: 10 passwordChange: on passwordWarning: 0 passwordMinAge: 0 passwordHistory: on passwordExp: on passwordMustChange: off passwordMaxAge: 63072000
here : passwordMinLen is losed !!!!!
=> how can i apply this rule about min length of password ?????
regards
Visolve LDAP Group a écrit :
Hi,
Hugo Étiévant,
I believe you configured the sub tree password policy through ns-newpwpolicy.pl script.
When you configure the global password policy it may override the sub tree password policy. So make sure that 'nsslapd-pwpolicy-local' is 'on' in cn=config entry of dse.ldif file to make the sub tree policy to work.
This attribute decides whether the local password policy is enabled or not. Anyways the execution of ns-newpwpolicy.pl script will turn this attribute value to 'on'.
However you cannot see any traces of sub tree Password policy attributes by searching cn=config tree or in dse.ldif file. It will show only global password policy attributes.
You can see list of applied *sub tree *password policy *attributes* by performing a search like this.
/opt/dirsrv/bin/ldapsearch -v -h <host> -p <port> \
-D "<managerDN>" -w <passwd> -b <suffix> *objectclass=ldapsubentry*
dn:cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolicyContainer,ou=marketing,o=abc.com
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,ou=marketing,o=abc.com
passwordExp: off
passwordMaxAge: 10
passwordWarning: 15
passwordGraceLimit: 1
pwdpolicysubentry: cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolic
yContainer,ou=marketing,o=abc.com
Regards,
ViSolve LDAP Team.
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Hugo Etievant Sent: Wednesday, February 25, 2009 9:41 PM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Password policy don't work on a subtree
hello,
version : Directory Server 1.1.3 on Fedora 8 64 bits plateform
When i configure a password policy on a subtree of my directory, this
policy do not works.
When i configure a global password policy, this global policy works but
ignore locals policy of subtrees.
when i look at the databases ldif backup, il do not find the
"passwordMinLength" attribute for local password policy for subtrees
but this attribut exists in dse ldif for the global policy !
how resolve this ?
Hugo Etievant wrote:
hello,
I use only GUI for configuration. I do not use perl script.
The GUI does the same thing as the perl script.
I have checked the "Enable fine-grained password policy" on global Password Policy. And i have configured a local Password policy on a subtree. But this second policy do not work as it should : the minimum lenght of password is ignored.
"nsslapd-pwpolicy-local: on" appears my dse.ldif file
a ldap search show password policy but some attribut of my policy dos not appears !
exemple : dn: cn="cn=nsPwPolicyEntry,ou=tests,dc=inrp, dc=fr",cn=nsPwPolicyContainer,ou= tests,dc=inrp,dc=fr passwordMinDigits: 1 passwordMinAlphas: 1 passwordStorageScheme: ssha passwordGraceLimit: 0 passwordCheckSyntax: on passwordMinTokenLength: 2 passwordInHistory: 10 passwordChange: on passwordWarning: 0 passwordMinAge: 0 passwordHistory: on passwordExp: on passwordMustChange: off passwordMaxAge: 63072000 objectClass: ldapsubentry objectClass: passwordpolicy
here, the "passwordMinLen" attribute does not appear, but i have enter this with GUI tool (value = "8" chars) !!!!
this is a bug ?
i apply the same policy for global and for local subtree but i have differents LDAP entries !
global policy attributes :
nsslapd-security: on nsslapd-pwpolicy-local: on passwordMinLength: 8 passwordMinCategories: 3 passwordMinTokenLength: 2 passwordCheckSyntax: on passwordMinAlphas: 1 passwordMinDigits: 1 passwordMaxAge: 63072000 passwordExp: on passwordHistory: on passwordWarning: 0 passwordInHistory: 10
local policy attributes :
passwordMinDigits: 1 passwordMinAlphas: 1 passwordStorageScheme: ssha passwordGraceLimit: 0 passwordCheckSyntax: on passwordMinTokenLength: 2 passwordInHistory: 10 passwordChange: on passwordWarning: 0 passwordMinAge: 0 passwordHistory: on passwordExp: on passwordMustChange: off passwordMaxAge: 63072000
here : passwordMinLen is losed !!!!!
Is passwordMinLength the only attribute you cannot set in your local password policy? Do you have this problem with any other attribute?
=> how can i apply this rule about min length of password ?????
regards
Visolve LDAP Group a écrit :
Hi,
Hugo Étiévant,
I believe you configured the sub tree password policy through ns-newpwpolicy.pl script.
When you configure the global password policy it may override the sub tree password policy. So make sure that 'nsslapd-pwpolicy-local' is 'on' in cn=config entry of dse.ldif file to make the sub tree policy to work.
This attribute decides whether the local password policy is enabled or not. Anyways the execution of ns-newpwpolicy.pl script will turn this attribute value to 'on'.
However you cannot see any traces of sub tree Password policy attributes by searching cn=config tree or in dse.ldif file. It will show only global password policy attributes.
You can see list of applied *sub tree *password policy *attributes* by performing a search like this.
/opt/dirsrv/bin/ldapsearch -v -h <host> -p <port> \
-D "<managerDN>" -w <passwd> -b <suffix> *objectclass=ldapsubentry*
dn:cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolicyContainer,ou=marketing,o=abc.com
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,ou=marketing,o=abc.com
passwordExp: off
passwordMaxAge: 10
passwordWarning: 15
passwordGraceLimit: 1
pwdpolicysubentry: cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolic
yContainer,ou=marketing,o=abc.com
Regards,
ViSolve LDAP Team.
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Hugo Etievant Sent: Wednesday, February 25, 2009 9:41 PM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Password policy don't work on a subtree
hello,
version : Directory Server 1.1.3 on Fedora 8 64 bits plateform
When i configure a password policy on a subtree of my directory, this
policy do not works.
When i configure a global password policy, this global policy works but
ignore locals policy of subtrees.
when i look at the databases ldif backup, il do not find the
"passwordMinLength" attribute for local password policy for subtrees
but this attribut exists in dse ldif for the global policy !
how resolve this ?
Rich Megginson a écrit :
Hugo Etievant wrote:
hello,
I use only GUI for configuration. I do not use perl script.
The GUI does the same thing as the perl script.
here : passwordMinLen is losed !!!!!
Is passwordMinLength the only attribute you cannot set in your local password policy? Do you have this problem with any other attribute?
yes! passwordMinLength is the only one attribute with problem !
Visolve LDAP Group wrote:
Hi,
Hugo Étiévant,
I believe you configured the sub tree password policy through ns-newpwpolicy.pl script.
When you configure the global password policy it may override the sub tree password policy. So make sure that 'nsslapd-pwpolicy-local' is 'on' in cn=config entry of dse.ldif file to make the sub tree policy to work.
This attribute decides whether the local password policy is enabled or not. Anyways the execution of ns-newpwpolicy.pl script will turn this attribute value to 'on'.
However you cannot see any traces of sub tree Password policy attributes by searching cn=config tree or in dse.ldif file. It will show only global password policy attributes.
You can see list of applied *sub tree *password policy *attributes* by performing a search like this.
/opt/dirsrv/bin/ldapsearch -v -h <host> -p <port> \
-D "<managerDN>" -w <passwd> -b <suffix> *objectclass=ldapsubentry*
dn:cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolicyContainer,ou=marketing,o=abc.com
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,ou=marketing,o=abc.com
passwordExp: off
passwordMaxAge: 10
passwordWarning: 15
passwordGraceLimit: 1
pwdpolicysubentry: cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolic
yContainer,ou=marketing,o=abc.com
If you set a local password policy like this, _it will not use the global settings at all_ - it will not fallback on the global settings in cn=config - you must specify all of the parameters you care about in your local password policy. If you do not, it will fallback on either nothing or the hardcoded default in the server itself.
Regards,
ViSolve LDAP Team.
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Hugo Etievant Sent: Wednesday, February 25, 2009 9:41 PM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Password policy don't work on a subtree
hello,
version : Directory Server 1.1.3 on Fedora 8 64 bits plateform
When i configure a password policy on a subtree of my directory, this
policy do not works.
When i configure a global password policy, this global policy works but
ignore locals policy of subtrees.
when i look at the databases ldif backup, il do not find the
"passwordMinLength" attribute for local password policy for subtrees
but this attribut exists in dse ldif for the global policy !
how resolve this ?
regards
--
- Hugo Étiévant *
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org
-
Hugo Etievant -
Rich Megginson -
Visolve LDAP Group