Hi Eugen, if I understood correctly, the customer already has Password Policy set up for common users which should not be able to change the password after the expiration.
And the customer needs another policy for the special users which should be able to change the password after expiration (or the expiration should be disabled for them completely). For that, the customer can configure Local Password Policy for the particular subtree/user. Please, check the section 20.4.2 here: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/user_account_management-managing_the_password_policy Hope that helps, Simon On Wed, Sep 16, 2020 at 2:09 PM Eugen Lamers <[email protected]> wrote: > We have the following scenario: > We use a "global" password policy at cn=config where a customer of ours > defines: > > passwordexp: on > passwordmaxage: 7776000 > passwordwarning: 7344000 > > We provide as default configuration "passwordMustChage: on" to force a new > user to chage the initial password. In this setup a user whose password > expired, i.e. also after this user is created and needs to change its > initial password, cannot login to the account, but he can change the > password. > > The customer now wants a setup which prevents a user whose password > expired from changing the password. A plugin "Account Policy Plugin" can > therefore be activated by the customer, which uses the following > configuration: > > dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > cn: config > alwaysrecordlogin: yes > stateAttrName: non_existent_attribute > altStateAttrName: passwordExpirationTime > specattrname: acctPolicySubentry > limitattrname: accountInactivityLimit > > As a consequence, the initial password change does not work anymore, thus > the customer must change to "passwordMustChange: off". This would probably > be acceptable. > > A problem is, however, that a user account which has its own user password > policy with "passwordexp: off" and "passwordmustchange: off" is affected by > the plugin in such a way that the attribute passwordExpirationTime of the > user itself is evaluated and the attribute passwordexp of the user password > policy is ignored. That means, a user password policy for special user > accounts without password expiration cannot be used in combination with the > Account Policy Plugin. > Can the plugin be configured to enable this possiblity or is there another > way to achieve the desired behaviour? > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] >
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
