On 10/12/21 5:27 PM, Ghiurea, Isabella wrote:
Hi List,
We are testing a new passwd syntax policy in ldap we have only cfg
password length to 8 char and according to this RH Doc bellow there
are some exceptions( *aka “trivial words” and uid, cn, givenName
which can not be used* ) when a user tries to update his passwd ,
for example if the new passwd contains more than 3 char from his uid
the ldapasswd cmd will fail .
Exemple :
Uid=6712
For new Passwd :cheese671cheese >> will fail
But for passwd: cheese67cheese will work .
This is the "token length" are you hitting. So there are defaults to
some password policy attributes, even if you don't explicitly set them.
So "PasswordMinTokenLength" defaults to 3 characters, that's why
cheese671cheese is rejected and cheese67cheese is not.
See our docs for all the password policy attributes and their default
values:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/configuration_command_and_file_reference/index#passwordAllowChangeTime
start there and scroll down to see most of the password policy
attributes, their meanings, and default values.
HTH,
Mark
I need to understand if we need other passwd attributes to cfg or why
this char min limitation and how to solve this issue?
Our uid can be from 4 char lenhgt to 14 char length.
Here is in ldap ldif:
nsslapd-pwpolicy-inherit-global: on
nsslapd-pwpolicy-local: off
passwordTrackUpdateTime: on
passwordCheckSyntax: on
passwordminlenghth: 8
passwordMinCategories: 1
And RH DS doc :
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/deployment_guide/designing_a_secure_directory-designing_a_password_policy#Password_Policy_Attributes-Password_Syntax_Checking
9.6.2.7. Password Syntax Checking
/Password syntax checking/ enforces rules for password strings, so
that any password has to meet or exceed certain criteria. All password
syntax checking can be applied globally, per subtree, or per user.
Password syntax checking is set in the /passwordCheckSyntax/ attribute.
The default password syntax requires a minimum password length of
eight characters and that no trivial words are used in the password. A
trivial word is any value stored in the /uid/, /cn/, /sn/,
/givenName/, /ou/, or /mail/attributes of the user's entry.
Thank you
Isabella
_______________________________________________
389-users mailing list [email protected]
To unsubscribe send an email [email protected]
Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
