Hi Pierre,
On 24/7/24 23:54, Pierre Rogier wrote: Hi Grant, I think that you can disable the password history feature by using: dsconf instance_name pwpolicy set --pwdhistory off Password history and last login history are separate things though, right? We do need to maintain password history for our password policy (rotation, can't use last x passwords, etc.) From what I was reading, the lastLoginHistory attribute was something that was added recently (well, about 12 months ago) to satisfy a RFE. See https://github.com/389ds/389-ds-base/issues/5752 Thanks, Grant Similarly, to change the history size, you can try: dsconf instance_name pwpolicy set --pwdhistorycount 0 Regards, Pierre On Wed, Jul 24, 2024 at 2:23 PM Grant Byers <[email protected]<mailto:[email protected]>> wrote: Hi, We've recently migrated our multi-supplier, multi-consumer 389 infra from 2.0.x to 2.2.9. The migration was relatively painless, but our logs are currently flooded with messages like the following; [24/Jul/2024:11:10:10.499567264 +0000] - ERR - acct_update_login_history - Modify error 20 on entry 'uid=xxxxx,ou=people,dc=example,dc=net' [24/Jul/2024:11:10:10.696468976 +0000] - ERR - attrlist_replace - attr_replace (lastLoginHistory, 20240724111004Z) failed. There's a bug report for this that matches ours[1], and the issue appears to have been addressed. It doesn't appear to have been addressed in 2.2.9 however, which is the latest version available in the copr repo[2] that effectively replaced epel8-modular. We have the AccountPolicy plugin enabled only to record lastLoginTime (a requirement from our security team), so we can't just disable it. We also use password policy, so we chain binds from consumers to suppliers. I've seen mention that the lastLoginHistory attribute can be disabled by setting lastLoginHistorySize to 0. I can't find any documentation on this anywhere though. I've tried setting it in the AccountPolicyPlugin config & also directly in cn=config, unsuccessfully. What are our options? Thanks, Grant [1] https://github.com/389ds/389-ds-base/issues/5834 [2] https://copr.fedorainfracloud.org/coprs/g/389ds/389-directory-server/ -- _______________________________________________ 389-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- -- 389 Directory Server Development Team
-- _______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
