subject:"\[Freeipa\-users\] compat settings"

Re: [Freeipa-users] compat settings

2015-06-26 Thread Dmitri Pal


On 05/21/2015 02:59 AM, Rudolf Gabler wrote:

Hi to whom it may concern,


we used for many years a 2 location policy to separate email users 
from unix users in order to not using the same passwords. So we had 2 
trees in our LDAP with the same user but different passwords.



Sorry for reviving this thread a month later.

I am a bit puzzled. On one hand I hear a lot of desire of the 
consolidation on the single account and making sure the password the 
user has is compliant with the central policies.
On the other side I continue to come across the cases when single 
account needs more than one password. And I am really confused why?
Would using OTP for example be a good enough alternative? What is the 
practical reason to force user to have more than one password in the 
enterprise environment?


I wonder does OTP auth with IPA native tokens work against compat tree? 
It should...
So with OTP it is always different password for two accounts. Should be 
good enough. No?


What am I missing?

Dmitri



In freeipa (where we want to migrate now) I can use the accounts and 
compat (for email) trees for this purpose and so I added a


dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: userPassword=*
to the compat settings  to have a separate place for the password (!not 
userPassword=%{userPassword}, because then the accounts password are mirrored). 
This works, but I'm not allowed to change the password i.e. with:
  ldappasswd -x  -D cn=Directory Manager -W -S 
uid=myuser,cn=users,cn=compat,dc=example,dc=com
I get a result of:

No such object (32)
Additional info: Failed to update password

where as for the accounts tree the ldappasswd is working fine.
What additional setting may be required?

Regards,
Rudi Gabler







--
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] compat settings

2015-05-21 Thread Alexander Bokovoy


On Thu, 21 May 2015, Rudolf Gabler wrote:

Hi to whom it may concern,


we used for many years a 2 location policy to separate email users from
unix users in order to not using the same passwords. So we had 2 trees
in our LDAP with the same user but different passwords.

In freeipa (where we want to migrate now) I can use the accounts and
compat (for email) trees for this purpose and so I added a

dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: userPassword=*
to the compat settings  to have a separate place for the password (!not
userPassword=%{userPassword}, because then the accounts password are
mirrored). This works, but I’m not allowed to change the password i.e.
with: ldappasswd -x -D cn=Directory Manager -W -S
uid=myuser,cn=users,cn=compat,dc=example,dc=com
I get a result of:

No such object (32)
Additional info: Failed to update password

where as for the accounts tree the ldappasswd is working fine.
What additional setting may be required?

slapi-nis does not support modifying entries in the compat tree. The
tree is virtual, it is re-populated from the original data every time
389-ds server is restarted.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] compat settings

2015-05-21 Thread Rudolf Gabler

Hi to whom it may concern,


we used for many years a 2 location policy to separate email users from unix 
users in order to not using the same passwords. So we had 2 trees in our LDAP 
with the same user but different passwords.

In freeipa (where we want to migrate now) I can use the accounts and compat 
(for email) trees for this purpose and so I added a

dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: userPassword=*
to the compat settings  to have a separate place for the password (!not 
userPassword=%{userPassword}, because then the accounts password are mirrored). 
This works, but I’m not allowed to change the password i.e. with:
ldappasswd -x -D cn=Directory Manager -W -S 
uid=myuser,cn=users,cn=compat,dc=example,dc=com
I get a result of:

No such object (32)
Additional info: Failed to update password

where as for the accounts tree the ldappasswd is working fine.
What additional setting may be required?

Regards,
Rudi Gabler




signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] compat settings

Re: [Freeipa-users] compat settings

[Freeipa-users] compat settings

3 matches

Site Navigation

Mail list logo

Footer information