On 11/21/2016 07:51 AM, Alberto Viana wrote: > Mark, > > Done, https://fedorahosted.org/389/ticket/49047 Thank you! > > Thanks. > > On Fri, Nov 18, 2016 at 5:14 PM, Mark Reynolds <[email protected] > <mailto:[email protected]>> wrote: > > > > On 11/18/2016 01:39 PM, Alberto Viana wrote: >> Mark, >> >> I updated to 1.3.5.14 version and realized that: >> >> - If I create the subtree policy using ns-newpwpolicy.pl >> <http://ns-newpwpolicy.pl>, 389 starts to storage userpassword as >> plaintext (the other things as disable password expiration works >> fine), to this specific subtree >> >> - If I create the subtree policty using 389-console, everything >> works fine. >> >> Analysing the nsPwPolicyContainer and nsPwTemplateEntry created >> by both methods I could not find any difference. >> >> The exactly same thing happens on 1.3.4.11, so is that a script >> problem? > If the console works, but the script fails then there is something > funny with the script. So please file a ticket with the exact > steps to reproduce the problem, and your initial analysis: > > https://fedorahosted.org/389/newticket > <https://fedorahosted.org/389/newticket> > > Thanks! > Mark > > > >> >> Should I file a ticket anyway? >> >> Thanks >> >> Alberto Viana >> >> On Wed, Nov 16, 2016 at 10:24 AM, Mark Reynolds >> <[email protected] <mailto:[email protected]>> wrote: >> >> >> >> On 11/16/2016 07:06 AM, Alberto Viana wrote: >>> Hi, >>> >>> Anyone? I really need some help on this. >> All you should need to do is setup a subtree policy on those >> OU's, and those should override the global policy. >> >> There was bug, that I can not seem to find anymore, where >> this was not working: Subtree policy was not overriding the >> global policy. It was fixed, but I don't know if the version >> of 389 that you have has that fix or not. Make sure you are >> on the latest version of 389 that your platform supports. >> >> If this does not work please file a ticket with the exact >> steps to reproduce the problem: >> >> https://fedorahosted.org/389/newticket >> <https://fedorahosted.org/389/newticket> >> >> Regards, >> Mark >> >> >>> Thanks >>> >>> On Fri, Nov 4, 2016 at 1:01 PM, Alberto Viana >>> <[email protected] <mailto:[email protected]>> wrote: >>> >>> Hi, >>> >>> Just to explain better what I need: >>> >>> Enforce a global password policy with password >>> expiration but disable for some specifics OUs (just >>> disable the password expiration). >>> >>> >>> >>> >>> On Fri, Nov 4, 2016 at 12:54 PM, Alberto Viana >>> <[email protected] <mailto:[email protected]>> wrote: >>> >>> Hi, >>> >>> 389-ds: 1.3.4.11 >>> >>> What I Need: >>> >>> Enforce a global password policy but disable for >>> some specifics OUs. >>> >>> Doc: >>> >>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#User_Account_Management-Managing_the_Password_Policy >>> >>> <https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#User_Account_Management-Managing_the_Password_Policy> >>> >>> Everything was working fine but I realized for that >>> specific OU that I created a local policy started to >>> storage user password as plaintext: >>> >>> I created the local policy using the script >>> ns-newpwpolicy.pl <http://ns-newpwpolicy.pl> as below: >>> >>> /opt/dirsrv/sbin/ns-newpwpolicy.pl >>> <http://ns-newpwpolicy.pl> -v -D "cn=Directory >>> Manager" -w my_manager_pass -S >>> OU=testing,dc=homolog,dc=rnp >>> >>> Here's my config: >>> >>> nsslapd-pwpolicy-local: on (under cn=config) >>> >>> Double checked using 389 console that under this OU, >>> "Fine-grained subtree policy enabled" is set on. >>> >>> >>> ldapsearch -b >>> >>> 'cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp' >>> -D "cn=Directory Manager" -x -W >>> '(objectclass=ldapsubentry)' >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base >>> >>> <cn="cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp",cn=nsPwPolicyContainer,OU=testing,dc=homolog,dc=rnp> >>> with scope subtree >>> # filter: (objectclass=ldapsubentry) >>> # requesting: ALL >>> # >>> >>> # >>> >>> cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp, >>> nsPwPol >>> icyContainer, testing, homolog.rnp >>> dn: >>> >>> cn=cn\3DnsPwTemplateEntry\2COU\3Dtesting\2Cdc\3Dhomolog\2Cdc\3Drnp,cn=n >>> sPwPolicyContainer,OU=testing,dc=homolog,dc=rnp >>> passwordStorageScheme: SSHA >>> passwordChange: off >>> passwordMaxAge: 8640000 >>> passwordExp: off >>> objectClass: top >>> objectClass: extensibleObject >>> objectClass: costemplate >>> objectClass: ldapsubentry >>> cosPriority: 1 >>> cn: cn=nsPwTemplateEntry,OU=testing,dc=homolog,dc=rnp >>> >>> >>> >>> A user entry on this OU: >>> >>> dn: uid=app-test,OU=testing,dc=homolog,dc=rnp >>> userPassword:: MXEydzNlNHI= >>> ntUserLastLogon: 131219776403276312 >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalperson >>> objectClass: inetOrgPerson >>> >>> >>> Am I missing something? >>> >>> Thanks >>> >>> Alberto Viana >>> >>> >>> >>> >>> >>> _______________________________________________ >>> 389-users mailing list -- [email protected] >>> <mailto:[email protected]> >>> To unsubscribe send an email to >>> [email protected] >>> <mailto:[email protected]> >> _______________________________________________ 389-users >> mailing list -- [email protected] >> <mailto:[email protected]> To unsubscribe >> send an email to [email protected] >> <mailto:[email protected]> >> >> _______________________________________________ >> 389-users mailing list -- [email protected] >> <mailto:[email protected]> >> To unsubscribe send an email to [email protected] >> <mailto:[email protected]> > _______________________________________________ 389-users mailing > list -- [email protected] > <mailto:[email protected]> To unsubscribe send an > email to [email protected] > <mailto:[email protected]> > > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected]
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
