Mark, I updated to 1.3.5.14 version and realized that:
- If I create the subtree policy using ns-newpwpolicy.pl, 389 starts to storage userpassword as plaintext (the other things as disable password expiration works fine), to this specific subtree - If I create the subtree policty using 389-console, everything works fine. Analysing the nsPwPolicyContainer and nsPwTemplateEntry created by both methods I could not find any difference. The exactly same thing happens on 1.3.4.11, so is that a script problem? Should I file a ticket anyway? Thanks Alberto Viana On Wed, Nov 16, 2016 at 10:24 AM, Mark Reynolds <[email protected]> wrote: > > > On 11/16/2016 07:06 AM, Alberto Viana wrote: > > Hi, > > Anyone? I really need some help on this. > > All you should need to do is setup a subtree policy on those OU's, and > those should override the global policy. > > There was bug, that I can not seem to find anymore, where this was not > working: Subtree policy was not overriding the global policy. It was > fixed, but I don't know if the version of 389 that you have has that fix or > not. Make sure you are on the latest version of 389 that your platform > supports. > > If this does not work please file a ticket with the exact steps to > reproduce the problem: > > https://fedorahosted.org/389/newticket > > Regards, > Mark > > > Thanks > > On Fri, Nov 4, 2016 at 1:01 PM, Alberto Viana <[email protected]> > wrote: > >> Hi, >> >> Just to explain better what I need: >> >> Enforce a global password policy with password expiration but disable for >> some specifics OUs (just disable the password expiration). >> >> >> >> >> On Fri, Nov 4, 2016 at 12:54 PM, Alberto Viana <[email protected]> >> wrote: >> >>> Hi, >>> >>> 389-ds: 1.3.4.11 >>> >>> What I Need: >>> >>> Enforce a global password policy but disable for some specifics OUs. >>> >>> Doc: https://access.redhat.com/documentation/en-US/Red_Hat_Direct >>> ory_Server/10/html-single/Administration_Guide/index.html# >>> User_Account_Management-Managing_the_Password_Policy >>> >>> Everything was working fine but I realized for that specific OU that I >>> created a local policy started to storage user password as plaintext: >>> >>> I created the local policy using the script ns-newpwpolicy.pl as below: >>> >>> /opt/dirsrv/sbin/ns-newpwpolicy.pl -v -D "cn=Directory Manager" -w >>> my_manager_pass -S OU=testing,dc=homolog,dc=rnp >>> >>> Here's my config: >>> >>> nsslapd-pwpolicy-local: on (under cn=config) >>> >>> Double checked using 389 console that under this OU, "Fine-grained >>> subtree policy enabled" is set on. >>> >>> >>> ldapsearch -b 'cn="cn=nsPwTemplateEntry,OU=t >>> esting,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp' >>> -D "cn=Directory Manager" -x -W '(objectclass=ldapsubentry)' >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=n >>> sPwPolicyContainer,OU=testing,dc=homolog,dc=rnp> with scope subtree >>> # filter: (objectclass=ldapsubentry) >>> # requesting: ALL >>> # >>> >>> # cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp, >>> nsPwPol >>> icyContainer, testing, homolog.rnp >>> dn: cn=cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc >>> \3Drnp,cn=n >>> sPwPolicyContainer,OU=testing,dc=homolog,dc=rnp >>> passwordStorageScheme: SSHA >>> passwordChange: off >>> passwordMaxAge: 8640000 >>> passwordExp: off >>> objectClass: top >>> objectClass: extensibleObject >>> objectClass: costemplate >>> objectClass: ldapsubentry >>> cosPriority: 1 >>> cn: cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp >>> >>> >>> >>> A user entry on this OU: >>> >>> dn: uid=app-test,OU=testing,dc=homolog,dc=rnp >>> userPassword:: MXEydzNlNHI= >>> ntUserLastLogon: 131219776403276312 >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalperson >>> objectClass: inetOrgPerson >>> >>> >>> Am I missing something? >>> >>> Thanks >>> >>> Alberto Viana >>> >> >> > > > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > >
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
