Hi, 389-ds: 1.3.4.11
What I Need: Enforce a global password policy but disable for some specifics OUs. Doc: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#User_Account_Management-Managing_the_Password_Policy Everything was working fine but I realized for that specific OU that I created a local policy started to storage user password as plaintext: I created the local policy using the script ns-newpwpolicy.pl as below: /opt/dirsrv/sbin/ns-newpwpolicy.pl -v -D "cn=Directory Manager" -w my_manager_pass -S OU=testing,dc=homolog,dc=rnp Here's my config: nsslapd-pwpolicy-local: on (under cn=config) Double checked using 389 console that under this OU, "Fine-grained subtree policy enabled" is set on. ldapsearch -b 'cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp' -D "cn=Directory Manager" -x -W '(objectclass=ldapsubentry)' # extended LDIF # # LDAPv3 # base <cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp> with scope subtree # filter: (objectclass=ldapsubentry) # requesting: ALL # # cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp, nsPwPol icyContainer, testing, homolog.rnp dn: cn=cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp,cn=n sPwPolicyContainer,OU=testing,dc=homolog,dc=rnp passwordStorageScheme: SSHA passwordChange: off passwordMaxAge: 8640000 passwordExp: off objectClass: top objectClass: extensibleObject objectClass: costemplate objectClass: ldapsubentry cosPriority: 1 cn: cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp A user entry on this OU: dn: uid=app-test,OU=testing,dc=homolog,dc=rnp userPassword:: MXEydzNlNHI= ntUserLastLogon: 131219776403276312 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetOrgPerson Am I missing something? Thanks Alberto Viana
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
