On 05/21/2015 02:59 AM, Rudolf Gabler wrote:
Hi to whom it may concern,

we used for many years a 2 location policy to separate email users from unix users in order to not using the same passwords. So we had 2 trees in our LDAP with the same user but different passwords.

Sorry for reviving this thread a month later.

I am a bit puzzled. On one hand I hear a lot of desire of the consolidation on the single account and making sure the password the user has is compliant with the central policies. On the other side I continue to come across the cases when single account needs more than one password. And I am really confused why? Would using OTP for example be a good enough alternative? What is the practical reason to force user to have more than one password in the enterprise environment?

I wonder does OTP auth with IPA native tokens work against compat tree? It should... So with OTP it is always different password for two accounts. Should be good enough. No?

What am I missing?


In freeipa (where we want to migrate now) I can use the accounts and compat (for email) trees for this purpose and so I added a

dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: userPassword=*
to the compat settings  to have a separate place for the password (!not 
userPassword=%{userPassword}, because then the accounts password are mirrored). 
This works, but I'm not allowed to change the password i.e. with:
  ldappasswd -x  -D "cn=Directory Manager" -W -S 
I get a result of:

No such object (32)
Additional info: Failed to update password

where as for the accounts tree the ldappasswd is working fine.
What additional setting may be required?

Rudi Gabler

Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to