subject:"\[389\-users\] Re\: password policy"

[389-users] Re: Password policy not working

2018-10-16 Thread Nick W. Harrison

Aside from any default policies, I created a password policy for the subtree on 
ou=People,dc=example,dc=org. The enabled settings in that policy are:


* Fine-grained subtree policy enabled

* Password expires after x days

* Check password syntax (followed by the specifications for that)

The "User may change password" option is left unchecked in this password policy.

I don't have a user password policy enabledonly subtree. I have my user 
objects and password being synced over from AD via a unidirectional 
relationship (win-to-linux).





From: Mark Reynolds 
Sent: Monday, October 15, 2018 3:19 PM
To: General discussion list for the 389 Directory server project. 
<389-users@lists.fedoraproject.org>; Nick W. Harrison 

Subject: Re: [389-users] Re: Password policy not working



On 10/15/18 10:09 AM, Nick W. Harrison wrote:
The version of 389-ds-base is 1.3.7.5-24.

The below snippet appears to be the full sequence from the access log on my 
LDAP server. I have a Linux client using SSSD to bind to the directory 
(account: mybindacct). I SSH into my client as johndoe and change my password 
with the usual passwd command.

[15/Oct/2018:09:26:11.609685215 -0400] conn=206895 TLS1.2 256-bit AES-GCM
[15/Oct/2018:09:26:11.612881217 -0400] conn=206895 op=0 SRCH base="" scope=0 
filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl 
supportedExtension supportedFeatures supportedLDAPVersion 
supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext 
lastusn highestcommittedusn aci"
[15/Oct/2018:09:26:11.613707013 -0400] conn=206895 op=0 RESULT err=0 tag=101 
nentries=1 etime=0.0011199684
[15/Oct/2018:09:26:11.615468995 -0400] conn=206895 op=1 BIND 
dn="uid=mybindacct,ou=Special Users,dc=example,dc=org" method=128 version=3
[15/Oct/2018:09:26:11.615687824 -0400] conn=206895 op=1 RESULT err=0 tag=97 
nentries=0 etime=0.260954 dn="uid=mybindacct,ou=special 
users,dc=example,dc=org"
[15/Oct/2018:09:26:11.616003685 -0400] conn=206895 op=2 BIND 
dn="uid=johndoe,ou=Test,ou=People,dc=example,dc=org" method=128 version=3
[15/Oct/2018:09:26:11.616327955 -0400] conn=206895 op=2 RESULT err=0 tag=97 
nentries=0 etime=0.365138 
dn="uid=johndoe,ou=test,ou=people,dc=example,dc=org"
[15/Oct/2018:09:26:11.624910413 -0400] conn=206895 op=3 EXT 
oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_plugin"
[15/Oct/2018:09:26:11.627984160 -0400] conn=206895 op=3 RESULT err=0 tag=120 
nentries=0 etime=0.0003117005
[15/Oct/2018:09:26:11.630152739 -0400] conn=206895 op=4 UNBIND

One question is which account is actually doing the attribute change: is it my 
SSSD bind account the one updating the johndoe password attribute on behalf of 
the johndoe user?

It should be changing it as "uid=johndoe,ou=test,ou=people,dc=example,dc=org", 
but perhaps the password modify extended operation is bypassing the password 
policy?  I need to try and reproduce this before opening a ticket.  So the 
global password policy under cn=config allows users to change their password, 
but a subtree policy denies the user this privilege but they are still allowed 
to reset their own password, is this correct?  I need to make sure I am using 
the same setup as you are.

Mark





Thanks,
Nick


From: Mark Reynolds <mailto:mreyno...@redhat.com>
Sent: Friday, October 12, 2018 12:32 PM
To: General discussion list for the 389 Directory server project. 
<389-users@lists.fedoraproject.org><mailto:389-users@lists.fedoraproject.org>; 
Nick W. Harrison 
<mailto:nwharri...@northcarolina.edu>
Subject: Re: [389-users] Password policy not working


That is the wrong package "389-ds", what is the version of "389-ds-base"?

Can you share what is in the server's access log when the password is changed 
(/var/log/dirsrv/slapd-YOUR_INSTACE/access)?  There should be a few operations 
that occur during the password change so please make sure to provide a full 
clip from the log.

Thanks,

Mark


On 10/12/18 12:05 PM, Nick W. Harrison wrote:
Hello -

I have a password policy on the OU that contains all of my user accounts. This 
password policy is set on the subtree and the "user may change password" option 
is deselected. However, I'm still able to change my password if I use passwd on 
a LDAP client.

I'm running an older version of 389-ds...v.1.2.2-6...and am wondering if there 
is anything additional I need to put in place to prevent users from changing 
their passwords. My accounts and passwords are replicated over from AD with a 
unidirectional relationship, and the clients are doing simple binds.

Thanks for any thoughts.




___

389-users mailing list -- 
389-users@lists.fedoraproject.org<mailto:389-users@lists.fedoraproject.org>

To unsubscribe send an email to 
389-users-le...@lists.f

[389-users] Re: Password policy not working

2018-10-15 Thread Nick W. Harrison

The version of 389-ds-base is 1.3.7.5-24.

The below snippet appears to be the full sequence from the access log on my 
LDAP server. I have a Linux client using SSSD to bind to the directory 
(account: mybindacct). I SSH into my client as johndoe and change my password 
with the usual passwd command.

[15/Oct/2018:09:26:11.609685215 -0400] conn=206895 TLS1.2 256-bit AES-GCM
[15/Oct/2018:09:26:11.612881217 -0400] conn=206895 op=0 SRCH base="" scope=0 
filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl 
supportedExtension supportedFeatures supportedLDAPVersion 
supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext 
lastusn highestcommittedusn aci"
[15/Oct/2018:09:26:11.613707013 -0400] conn=206895 op=0 RESULT err=0 tag=101 
nentries=1 etime=0.0011199684
[15/Oct/2018:09:26:11.615468995 -0400] conn=206895 op=1 BIND 
dn="uid=mybindacct,ou=Special Users,dc=example,dc=org" method=128 version=3
[15/Oct/2018:09:26:11.615687824 -0400] conn=206895 op=1 RESULT err=0 tag=97 
nentries=0 etime=0.260954 dn="uid=mybindacct,ou=special 
users,dc=example,dc=org"
[15/Oct/2018:09:26:11.616003685 -0400] conn=206895 op=2 BIND 
dn="uid=johndoe,ou=Test,ou=People,dc=example,dc=org" method=128 version=3
[15/Oct/2018:09:26:11.616327955 -0400] conn=206895 op=2 RESULT err=0 tag=97 
nentries=0 etime=0.365138 
dn="uid=johndoe,ou=test,ou=people,dc=example,dc=org"
[15/Oct/2018:09:26:11.624910413 -0400] conn=206895 op=3 EXT 
oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_plugin"
[15/Oct/2018:09:26:11.627984160 -0400] conn=206895 op=3 RESULT err=0 tag=120 
nentries=0 etime=0.0003117005
[15/Oct/2018:09:26:11.630152739 -0400] conn=206895 op=4 UNBIND

One question is which account is actually doing the attribute change: is it my 
SSSD bind account the one updating the johndoe password attribute on behalf of 
the johndoe user?

Thanks,
Nick


From: Mark Reynolds 
Sent: Friday, October 12, 2018 12:32 PM
To: General discussion list for the 389 Directory server project. 
<389-users@lists.fedoraproject.org>; Nick W. Harrison 

Subject: Re: [389-users] Password policy not working


That is the wrong package "389-ds", what is the version of "389-ds-base"?

Can you share what is in the server's access log when the password is changed 
(/var/log/dirsrv/slapd-YOUR_INSTACE/access)?  There should be a few operations 
that occur during the password change so please make sure to provide a full 
clip from the log.

Thanks,

Mark


On 10/12/18 12:05 PM, Nick W. Harrison wrote:
Hello -

I have a password policy on the OU that contains all of my user accounts. This 
password policy is set on the subtree and the "user may change password" option 
is deselected. However, I'm still able to change my password if I use passwd on 
a LDAP client.

I'm running an older version of 389-ds...v.1.2.2-6...and am wondering if there 
is anything additional I need to put in place to prevent users from changing 
their passwords. My accounts and passwords are replicated over from AD with a 
unidirectional relationship, and the clients are doing simple binds.

Thanks for any thoughts.



___

389-users mailing list -- 
389-users@lists.fedoraproject.org

To unsubscribe send an email to 
389-users-le...@lists.fedoraproject.org

Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Password policy not working

2018-10-12 Thread Mark Reynolds


That is the wrong package "389-ds", what is the version of "389-ds-base"?

Can you share what is in the server's access log when the password is 
changed (/var/log/dirsrv/slapd-YOUR_INSTACE/access)? There should be a 
few operations that occur during the password change so please make sure 
to provide a full clip from the log.


Thanks,

Mark


On 10/12/18 12:05 PM, Nick W. Harrison wrote:


Hello –

I have a password policy on the OU that contains all of my user 
accounts. This password policy is set on the subtree and the “user may 
change password” option is deselected. However, I’m still able to 
change my password if I use passwd on a LDAP client.


I’m running an older version of 389-ds…v.1.2.2-6…and am wondering if 
there is anything additional I need to put in place to prevent users 
from changing their passwords. My accounts and passwords are 
replicated over from AD with a unidirectional relationship, and the 
clients are doing simple binds.


Thanks for any thoughts.


___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: password policy

2018-09-27 Thread Alberto Viana

I saw that in the Doc, it now working fine.

Thanks a lot.

On Thu, Sep 27, 2018 at 12:18 PM Mark Reynolds  wrote:

>
>
> On 09/26/2018 04:15 PM, Mark Reynolds wrote:
>
>
>
> On 09/26/2018 03:51 PM, Alberto Viana wrote:
>
> Hi Mark,
>
> I already have this configuration but stopped to working after I enabled
> my password policy. Another thing is the error changed, its not the same
> when was missing prehashed config and my password was set to off.
>
>
> When you turn syntax checking on then Password Admin functionally breaks,
> correct?  If so, it sounds like a bug then.  Please file a ticket with the
> exact steps to reproduce the problem.
>
> Actually I think you need to set (again) psswordAdminDN in each subtree
> policy.  Please try this and let me know if it works.
>
> Thanks,
> Mark
>
>
> https://pagure.io/389-ds-base/new_issue
>
> Thanks,
> Mark
>
>
> On Wed, Sep 26, 2018, 16:47 Mark Reynolds  wrote:
>
>> Hi Alberto,
>>
>> Only Directory Manager or a Password Admin can add pre-hashed passwords.
>> It has nothing to do with password policy settings.  For more on password
>> admins see:
>>
>>
>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/password_administrators
>>
>> HTH,
>>
>> Mark
>>
>> On 09/26/2018 02:31 PM, Alberto Viana wrote:
>>
>> I have a password applied  globally like this:
>>
>> dn:
>> cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc=
>>  my,dc=domain
>> passwordLockout: off
>> passwordGraceLimit: 50
>> passwordWarning: 86400
>> passwordInHistory: 3
>> passwordMinLength: 8
>> passwordMinCategories: 3
>> passwordStorageScheme: SSHA512
>> passwordChange: on
>> passwordMaxAge: 31536000
>> passwordCheckSyntax: on
>> passwordExp: on
>> objectClass: top
>> objectClass: ldapsubentry
>> objectClass: passwordpolicy
>> cn: cn=nsPwPolicyEntry,DC=my,DC=domain
>>
>> In a sub OU, I have this policy:
>>
>> #
>> cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3
>>  Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain
>> dn:
>> cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\
>>
>>  
>> 2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain
>> passwordLockout: off
>> passwordGraceLimit: 50
>> passwordStorageScheme: SSHA
>> passwordChange: on
>> passwordMaxAge: 31536000
>> passwordCheckSyntax: off
>> passwordExp: off
>> objectClass: top
>> objectClass: ldapsubentry
>> objectClass: passwordpolicy
>> cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain
>>
>> But when I try to add a prehashed password on this sub OU, I see this
>> kind of error:
>> LDAP: error code 19 - invalid password syntax - passwords with storage
>> scheme are not allowed
>>
>> Is this an expected behavior even if in sub OU I have an password policy
>> with passwordCheckSyntax set to off? If so, do I have any way to disable
>> this behavior? (but I can not disable my global password policy)
>>
>> PS: The password policy is respecting the fact of passwordCheckSyntax is
>> set to off when I try to add a simple password like '1234'.
>>
>>
>>
>> ___
>> 389-users mailing list -- 389-us...@lists.fedoraproject.org
>> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
>> https://lists.fedoraproject.org/archives/list/389-us...@lists.fedoraproject.org
>>
>>
>>
>
> ___
> 389-users mailing list -- 389-us...@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/389-us...@lists.fedoraproject.org
>
>
>
>
> ___
> 389-users mailing list -- 389-us...@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/389-us...@lists.fedoraproject.org
>
>
>
___
389-users mailing list -- 389-us...@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-us...@lists.fedoraproject.org

[389-users] Re: password policy

2018-09-27 Thread Mark Reynolds




On 09/26/2018 04:15 PM, Mark Reynolds wrote:




On 09/26/2018 03:51 PM, Alberto Viana wrote:

Hi Mark,

I already have this configuration but stopped to working after I 
enabled my password policy. Another thing is the error changed, its 
not the same when was missing prehashed config and my password was 
set to off.


When you turn syntax checking on then Password Admin functionally 
breaks, correct?  If so, it sounds like a bug then.  Please file a 
ticket with the exact steps to reproduce the problem.
Actually I think you need to set (again) psswordAdminDN in each subtree 
policy.  Please try this and let me know if it works.


Thanks,
Mark


https://pagure.io/389-ds-base/new_issue

Thanks,
Mark


On Wed, Sep 26, 2018, 16:47 Mark Reynolds > wrote:


Hi Alberto,

Only Directory Manager or a Password Admin can add pre-hashed
passwords.  It has nothing to do with password policy settings. 
For more on password admins see:


https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/password_administrators

HTH,

Mark


On 09/26/2018 02:31 PM, Alberto Viana wrote:

I have a password applied  globally like this:

dn:
cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc=
 my,dc=domain
passwordLockout: off
passwordGraceLimit: 50
passwordWarning: 86400
passwordInHistory: 3
passwordMinLength: 8
passwordMinCategories: 3
passwordStorageScheme: SSHA512
passwordChange: on
passwordMaxAge: 31536000
passwordCheckSyntax: on
passwordExp: on
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,DC=my,DC=domain

In a sub OU, I have this policy:

#
cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3
 Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain
dn:
cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\
 
2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain
passwordLockout: off
passwordGraceLimit: 50
passwordStorageScheme: SSHA
passwordChange: on
passwordMaxAge: 31536000
passwordCheckSyntax: off
passwordExp: off
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain

But when I try to add a prehashed password on this sub OU, I see
this kind of error:
LDAP: error code 19 - invalid password syntax - passwords with
storage scheme are not allowed

Is this an expected behavior even if in sub OU I have an
password policy with passwordCheckSyntax set to off? If so, do I
have any way to disable this behavior? (but I can not disable my
global password policy)

PS: The password policy is respecting the fact of
passwordCheckSyntax is set to off when I try to add a simple
password like '1234'.


___
389-users mailing list --389-us...@lists.fedoraproject.org

To unsubscribe send an email to389-users-le...@lists.fedoraproject.org

Fedora Code of Conduct:https://getfedora.org/code-of-conduct.html
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List 
Archives:https://lists.fedoraproject.org/archives/list/389-us...@lists.fedoraproject.org




___
389-users mailing list --389-us...@lists.fedoraproject.org
To unsubscribe send an email to389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:https://getfedora.org/code-of-conduct.html
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List 
Archives:https://lists.fedoraproject.org/archives/list/389-us...@lists.fedoraproject.org




___
389-users mailing list -- 389-us...@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-us...@lists.fedoraproject.org


___
389-users mailing list -- 389-us...@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-us...@lists.fedoraproject.org

[389-users] Re: password policy

2018-09-27 Thread Mark Reynolds


Hi Alberto,

Only Directory Manager or a Password Admin can add pre-hashed 
passwords.  It has nothing to do with password policy settings. For more 
on password admins see:


https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/password_administrators

HTH,

Mark


On 09/26/2018 02:31 PM, Alberto Viana wrote:

I have a password applied  globally like this:

dn: 
cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc=

 my,dc=domain
passwordLockout: off
passwordGraceLimit: 50
passwordWarning: 86400
passwordInHistory: 3
passwordMinLength: 8
passwordMinCategories: 3
passwordStorageScheme: SSHA512
passwordChange: on
passwordMaxAge: 31536000
passwordCheckSyntax: on
passwordExp: on
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,DC=my,DC=domain

In a sub OU, I have this policy:

# 
cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3

 Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain
dn: 
cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\

 2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain
passwordLockout: off
passwordGraceLimit: 50
passwordStorageScheme: SSHA
passwordChange: on
passwordMaxAge: 31536000
passwordCheckSyntax: off
passwordExp: off
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain

But when I try to add a prehashed password on this sub OU, I see this 
kind of error:
LDAP: error code 19 - invalid password syntax - passwords with storage 
scheme are not allowed


Is this an expected behavior even if in sub OU I have an password 
policy with passwordCheckSyntax set to off? If so, do I have any way 
to disable this behavior? (but I can not disable my global password 
policy)


PS: The password policy is respecting the fact of passwordCheckSyntax 
is set to off when I try to add a simple password like '1234'.



___
389-users mailing list -- 389-us...@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-us...@lists.fedoraproject.org


___
389-users mailing list -- 389-us...@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-us...@lists.fedoraproject.org

[389-users] Re: password policy

2018-09-26 Thread Mark Reynolds




On 09/26/2018 03:51 PM, Alberto Viana wrote:

Hi Mark,

I already have this configuration but stopped to working after I 
enabled my password policy. Another thing is the error changed, its 
not the same when was missing prehashed config and my password was set 
to off.


When you turn syntax checking on then Password Admin functionally 
breaks, correct?  If so, it sounds like a bug then.  Please file a 
ticket with the exact steps to reproduce the problem.


https://pagure.io/389-ds-base/new_issue

Thanks,
Mark


On Wed, Sep 26, 2018, 16:47 Mark Reynolds > wrote:


Hi Alberto,

Only Directory Manager or a Password Admin can add pre-hashed
passwords.  It has nothing to do with password policy settings. 
For more on password admins see:


https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/password_administrators

HTH,

Mark


On 09/26/2018 02:31 PM, Alberto Viana wrote:

I have a password applied  globally like this:

dn:
cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc=
 my,dc=domain
passwordLockout: off
passwordGraceLimit: 50
passwordWarning: 86400
passwordInHistory: 3
passwordMinLength: 8
passwordMinCategories: 3
passwordStorageScheme: SSHA512
passwordChange: on
passwordMaxAge: 31536000
passwordCheckSyntax: on
passwordExp: on
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,DC=my,DC=domain

In a sub OU, I have this policy:

#
cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3
 Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain
dn:
cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\
 
2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain
passwordLockout: off
passwordGraceLimit: 50
passwordStorageScheme: SSHA
passwordChange: on
passwordMaxAge: 31536000
passwordCheckSyntax: off
passwordExp: off
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain

But when I try to add a prehashed password on this sub OU, I see
this kind of error:
LDAP: error code 19 - invalid password syntax - passwords with
storage scheme are not allowed

Is this an expected behavior even if in sub OU I have an password
policy with passwordCheckSyntax set to off? If so, do I have any
way to disable this behavior? (but I can not disable my global
password policy)

PS: The password policy is respecting the fact of
passwordCheckSyntax is set to off when I try to add a simple
password like '1234'.


___
389-users mailing list --389-users@lists.fedoraproject.org

To unsubscribe send an email to389-users-le...@lists.fedoraproject.org

Fedora Code of Conduct:https://getfedora.org/code-of-conduct.html
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List 
Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org




___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org


___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: password policy

2018-09-26 Thread Alberto Viana

Hi Mark,

I already have this configuration but stopped to working after I enabled my
password policy. Another thing is the error changed, its not the same when
was missing prehashed config and my password was set to off.

On Wed, Sep 26, 2018, 16:47 Mark Reynolds  wrote:

> Hi Alberto,
>
> Only Directory Manager or a Password Admin can add pre-hashed passwords.
> It has nothing to do with password policy settings.  For more on password
> admins see:
>
>
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/password_administrators
>
> HTH,
>
> Mark
>
> On 09/26/2018 02:31 PM, Alberto Viana wrote:
>
> I have a password applied  globally like this:
>
> dn:
> cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc=
>  my,dc=domain
> passwordLockout: off
> passwordGraceLimit: 50
> passwordWarning: 86400
> passwordInHistory: 3
> passwordMinLength: 8
> passwordMinCategories: 3
> passwordStorageScheme: SSHA512
> passwordChange: on
> passwordMaxAge: 31536000
> passwordCheckSyntax: on
> passwordExp: on
> objectClass: top
> objectClass: ldapsubentry
> objectClass: passwordpolicy
> cn: cn=nsPwPolicyEntry,DC=my,DC=domain
>
> In a sub OU, I have this policy:
>
> #
> cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3
>  Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain
> dn:
> cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\
>
>  
> 2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain
> passwordLockout: off
> passwordGraceLimit: 50
> passwordStorageScheme: SSHA
> passwordChange: on
> passwordMaxAge: 31536000
> passwordCheckSyntax: off
> passwordExp: off
> objectClass: top
> objectClass: ldapsubentry
> objectClass: passwordpolicy
> cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain
>
> But when I try to add a prehashed password on this sub OU, I see this kind
> of error:
> LDAP: error code 19 - invalid password syntax - passwords with storage
> scheme are not allowed
>
> Is this an expected behavior even if in sub OU I have an password policy
> with passwordCheckSyntax set to off? If so, do I have any way to disable
> this behavior? (but I can not disable my global password policy)
>
> PS: The password policy is respecting the fact of passwordCheckSyntax is
> set to off when I try to add a simple password like '1234'.
>
>
>
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
>
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: password policy

2018-02-27 Thread Mark Reynolds

Correct, all the "global" password policy settings are stored in the
cn=config entry.

On 02/27/2018 01:24 PM, Alberto Viana wrote:
> Hi guys,
>
> When I enable global password policy, is that suppose to affect cn=config?
>
> I Just want to confirm that.
>
>
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: Password policy not working

[389-users] Re: Password policy not working

[389-users] Re: Password policy not working

[389-users] Re: password policy

[389-users] Re: password policy

[389-users] Re: password policy

[389-users] Re: password policy

[389-users] Re: password policy

[389-users] Re: password policy

9 matches

Site Navigation

Mail list logo

Footer information