Re: [Freeipa-users] compat settings
On 05/21/2015 02:59 AM, Rudolf Gabler wrote: Hi to whom it may concern, we used for many years a 2 location policy to separate email users from unix users in order to not using the same passwords. So we had 2 trees in our LDAP with the same user but different passwords. Sorry for reviving this thread a month later. I am a bit puzzled. On one hand I hear a lot of desire of the consolidation on the single account and making sure the password the user has is compliant with the central policies. On the other side I continue to come across the cases when single account needs more than one password. And I am really confused why? Would using OTP for example be a good enough alternative? What is the practical reason to force user to have more than one password in the enterprise environment? I wonder does OTP auth with IPA native tokens work against compat tree? It should... So with OTP it is always different password for two accounts. Should be good enough. No? What am I missing? Dmitri In freeipa (where we want to migrate now) I can use the accounts and compat (for email) trees for this purpose and so I added a dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: userPassword=* to the compat settings to have a separate place for the password (!not userPassword=%{userPassword}, because then the accounts password are mirrored). This works, but I'm not allowed to change the password i.e. with: ldappasswd -x -D "cn=Directory Manager" -W -S uid=myuser,cn=users,cn=compat,dc=example,dc=com I get a result of: No such object (32) Additional info: Failed to update password where as for the accounts tree the ldappasswd is working fine. What additional setting may be required? Regards, Rudi Gabler -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] compat settings
On Thu, 21 May 2015, Rudolf Gabler wrote: Hi to whom it may concern, we used for many years a 2 location policy to separate email users from unix users in order to not using the same passwords. So we had 2 trees in our LDAP with the same user but different passwords. In freeipa (where we want to migrate now) I can use the accounts and compat (for email) trees for this purpose and so I added a dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: userPassword=* to the compat settings to have a separate place for the password (!not userPassword=%{userPassword}, because then the accounts password are mirrored). This works, but I’m not allowed to change the password i.e. with: ldappasswd -x -D "cn=Directory Manager" -W -S uid=myuser,cn=users,cn=compat,dc=example,dc=com I get a result of: No such object (32) Additional info: Failed to update password where as for the accounts tree the ldappasswd is working fine. What additional setting may be required? slapi-nis does not support modifying entries in the compat tree. The tree is virtual, it is re-populated from the original data every time 389-ds server is restarted. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] compat settings
Hi to whom it may concern, we used for many years a 2 location policy to separate email users from unix users in order to not using the same passwords. So we had 2 trees in our LDAP with the same user but different passwords. In freeipa (where we want to migrate now) I can use the accounts and compat (for email) trees for this purpose and so I added a dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: userPassword=* to the compat settings to have a separate place for the password (!not userPassword=%{userPassword}, because then the accounts password are mirrored). This works, but I’m not allowed to change the password i.e. with: ldappasswd -x -D "cn=Directory Manager" -W -S uid=myuser,cn=users,cn=compat,dc=example,dc=com I get a result of: No such object (32) Additional info: Failed to update password where as for the accounts tree the ldappasswd is working fine. What additional setting may be required? Regards, Rudi Gabler signature.asc Description: Message signed with OpenPGP using GPGMail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project