Mark, Done, https://fedorahosted.org/389/ticket/49047
Thanks. On Fri, Nov 18, 2016 at 5:14 PM, Mark Reynolds <[email protected]> wrote: > > > On 11/18/2016 01:39 PM, Alberto Viana wrote: > > Mark, > > I updated to 1.3.5.14 version and realized that: > > - If I create the subtree policy using ns-newpwpolicy.pl, 389 starts to > storage userpassword as plaintext (the other things as disable password > expiration works fine), to this specific subtree > > - If I create the subtree policty using 389-console, everything works fine. > > Analysing the nsPwPolicyContainer and nsPwTemplateEntry created by both > methods I could not find any difference. > > The exactly same thing happens on 1.3.4.11, so is that a script problem? > > If the console works, but the script fails then there is something funny > with the script. So please file a ticket with the exact steps to reproduce > the problem, and your initial analysis: > > https://fedorahosted.org/389/newticket > > Thanks! > Mark > > > > > Should I file a ticket anyway? > > > Thanks > > Alberto Viana > > On Wed, Nov 16, 2016 at 10:24 AM, Mark Reynolds <[email protected]> > wrote: > >> >> >> On 11/16/2016 07:06 AM, Alberto Viana wrote: >> >> Hi, >> >> Anyone? I really need some help on this. >> >> All you should need to do is setup a subtree policy on those OU's, and >> those should override the global policy. >> >> There was bug, that I can not seem to find anymore, where this was not >> working: Subtree policy was not overriding the global policy. It was >> fixed, but I don't know if the version of 389 that you have has that fix or >> not. Make sure you are on the latest version of 389 that your platform >> supports. >> >> If this does not work please file a ticket with the exact steps to >> reproduce the problem: >> >> https://fedorahosted.org/389/newticket >> >> Regards, >> Mark >> >> >> Thanks >> >> On Fri, Nov 4, 2016 at 1:01 PM, Alberto Viana <[email protected]> >> wrote: >> >>> Hi, >>> >>> Just to explain better what I need: >>> >>> Enforce a global password policy with password expiration but disable >>> for some specifics OUs (just disable the password expiration). >>> >>> >>> >>> >>> On Fri, Nov 4, 2016 at 12:54 PM, Alberto Viana <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> 389-ds: 1.3.4.11 >>>> >>>> What I Need: >>>> >>>> Enforce a global password policy but disable for some specifics OUs. >>>> >>>> Doc: https://access.redhat.com/documentation/en-US/Red_Hat_Direct >>>> ory_Server/10/html-single/Administration_Guide/index.html#Us >>>> er_Account_Management-Managing_the_Password_Policy >>>> >>>> Everything was working fine but I realized for that specific OU that I >>>> created a local policy started to storage user password as plaintext: >>>> >>>> I created the local policy using the script ns-newpwpolicy.pl as below: >>>> >>>> /opt/dirsrv/sbin/ns-newpwpolicy.pl -v -D "cn=Directory Manager" -w >>>> my_manager_pass -S OU=testing,dc=homolog,dc=rnp >>>> >>>> Here's my config: >>>> >>>> nsslapd-pwpolicy-local: on (under cn=config) >>>> >>>> Double checked using 389 console that under this OU, "Fine-grained >>>> subtree policy enabled" is set on. >>>> >>>> >>>> ldapsearch -b 'cn="cn=nsPwTemplateEntry,OU=t >>>> esting,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp' >>>> -D "cn=Directory Manager" -x -W '(objectclass=ldapsubentry)' >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base <cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=n >>>> sPwPolicyContainer,OU=testing,dc=homolog,dc=rnp> with scope subtree >>>> # filter: (objectclass=ldapsubentry) >>>> # requesting: ALL >>>> # >>>> >>>> # cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp, >>>> nsPwPol >>>> icyContainer, testing, homolog.rnp >>>> dn: cn=cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc >>>> \3Drnp,cn=n >>>> sPwPolicyContainer,OU=testing,dc=homolog,dc=rnp >>>> passwordStorageScheme: SSHA >>>> passwordChange: off >>>> passwordMaxAge: 8640000 >>>> passwordExp: off >>>> objectClass: top >>>> objectClass: extensibleObject >>>> objectClass: costemplate >>>> objectClass: ldapsubentry >>>> cosPriority: 1 >>>> cn: cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp >>>> >>>> >>>> >>>> A user entry on this OU: >>>> >>>> dn: uid=app-test,OU=testing,dc=homolog,dc=rnp >>>> userPassword:: MXEydzNlNHI= >>>> ntUserLastLogon: 131219776403276312 >>>> objectClass: top >>>> objectClass: person >>>> objectClass: organizationalperson >>>> objectClass: inetOrgPerson >>>> >>>> >>>> Am I missing something? >>>> >>>> Thanks >>>> >>>> Alberto Viana >>>> >>> >>> >> >> >> _______________________________________________ >> 389-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> >> _______________________________________________ 389-users mailing list >> -- [email protected] To unsubscribe send an email to >> [email protected] > > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > >
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
