On 11/18/2016 01:39 PM, Alberto Viana wrote: > Mark, > > I updated to 1.3.5.14 version and realized that: > > - If I create the subtree policy using ns-newpwpolicy.pl > <http://ns-newpwpolicy.pl>, 389 starts to storage userpassword as > plaintext (the other things as disable password expiration works > fine), to this specific subtree > > - If I create the subtree policty using 389-console, everything works > fine. > > Analysing the nsPwPolicyContainer and nsPwTemplateEntry created by > both methods I could not find any difference. > > The exactly same thing happens on 1.3.4.11, so is that a script problem? If the console works, but the script fails then there is something funny with the script. So please file a ticket with the exact steps to reproduce the problem, and your initial analysis:
https://fedorahosted.org/389/newticket Thanks! Mark > > Should I file a ticket anyway? > > Thanks > > Alberto Viana > > On Wed, Nov 16, 2016 at 10:24 AM, Mark Reynolds <[email protected] > <mailto:[email protected]>> wrote: > > > > On 11/16/2016 07:06 AM, Alberto Viana wrote: >> Hi, >> >> Anyone? I really need some help on this. > All you should need to do is setup a subtree policy on those OU's, > and those should override the global policy. > > There was bug, that I can not seem to find anymore, where this was > not working: Subtree policy was not overriding the global policy. > It was fixed, but I don't know if the version of 389 that you have > has that fix or not. Make sure you are on the latest version of > 389 that your platform supports. > > If this does not work please file a ticket with the exact steps to > reproduce the problem: > > https://fedorahosted.org/389/newticket > <https://fedorahosted.org/389/newticket> > > Regards, > Mark > > >> Thanks >> >> On Fri, Nov 4, 2016 at 1:01 PM, Alberto Viana >> <[email protected] <mailto:[email protected]>> wrote: >> >> Hi, >> >> Just to explain better what I need: >> >> Enforce a global password policy with password expiration but >> disable for some specifics OUs (just disable the password >> expiration). >> >> >> >> >> On Fri, Nov 4, 2016 at 12:54 PM, Alberto Viana >> <[email protected] <mailto:[email protected]>> wrote: >> >> Hi, >> >> 389-ds: 1.3.4.11 >> >> What I Need: >> >> Enforce a global password policy but disable for some >> specifics OUs. >> >> Doc: >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#User_Account_Management-Managing_the_Password_Policy >> >> <https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#User_Account_Management-Managing_the_Password_Policy> >> >> Everything was working fine but I realized for that >> specific OU that I created a local policy started to >> storage user password as plaintext: >> >> I created the local policy using the script >> ns-newpwpolicy.pl <http://ns-newpwpolicy.pl> as below: >> >> /opt/dirsrv/sbin/ns-newpwpolicy.pl >> <http://ns-newpwpolicy.pl> -v -D "cn=Directory Manager" >> -w my_manager_pass -S OU=testing,dc=homolog,dc=rnp >> >> Here's my config: >> >> nsslapd-pwpolicy-local: on (under cn=config) >> >> Double checked using 389 console that under this OU, >> "Fine-grained subtree policy enabled" is set on. >> >> >> ldapsearch -b >> >> 'cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp' >> -D "cn=Directory Manager" -x -W '(objectclass=ldapsubentry)' >> # extended LDIF >> # >> # LDAPv3 >> # base >> >> <cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp> >> with scope subtree >> # filter: (objectclass=ldapsubentry) >> # requesting: ALL >> # >> >> # >> cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp, >> nsPwPol >> icyContainer, testing, homolog.rnp >> dn: >> >> cn=cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp,cn=n >> sPwPolicyContainer,OU=testing,dc=homolog,dc=rnp >> passwordStorageScheme: SSHA >> passwordChange: off >> passwordMaxAge: 8640000 >> passwordExp: off >> objectClass: top >> objectClass: extensibleObject >> objectClass: costemplate >> objectClass: ldapsubentry >> cosPriority: 1 >> cn: cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp >> >> >> >> A user entry on this OU: >> >> dn: uid=app-test,OU=testing,dc=homolog,dc=rnp >> userPassword:: MXEydzNlNHI= >> ntUserLastLogon: 131219776403276312 >> objectClass: top >> objectClass: person >> objectClass: organizationalperson >> objectClass: inetOrgPerson >> >> >> Am I missing something? >> >> Thanks >> >> Alberto Viana >> >> >> >> >> >> _______________________________________________ >> 389-users mailing list -- [email protected] >> <mailto:[email protected]> >> To unsubscribe send an email to [email protected] >> <mailto:[email protected]> > _______________________________________________ 389-users mailing > list -- [email protected] > <mailto:[email protected]> To unsubscribe send an > email to [email protected] > <mailto:[email protected]> > > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected]
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
