[389-users] Re: password policy

Thu, 27 Sep 2018 09:22:46 -0700 


On 09/26/2018 04:15 PM, Mark Reynolds wrote:




On 09/26/2018 03:51 PM, Alberto Viana wrote:

Hi Mark,


I already have this configuration but stopped to working after I 
enabled my password policy. Another thing is the error changed, its 
not the same when was missing prehashed config and my password was 
set to off.



When you turn syntax checking on then Password Admin functionally 
breaks, correct?  If so, it sounds like a bug then.  Please file a 
ticket with the exact steps to reproduce the problem.

Actually I think you need to set (again) psswordAdminDN in each subtree 
policy.  Please try this and let me know if it works.


Thanks,
Mark


https://pagure.io/389-ds-base/new_issue

Thanks,
Mark



On Wed, Sep 26, 2018, 16:47 Mark Reynolds <mreyno...@redhat.com 
<mailto:mreyno...@redhat.com>> wrote:


    Hi Alberto,

    Only Directory Manager or a Password Admin can add pre-hashed
    passwords.  It has nothing to do with password policy settings. 
    For more on password admins see:

    
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/password_administrators

    HTH,

    Mark


    On 09/26/2018 02:31 PM, Alberto Viana wrote:

    I have a password applied  globally like this:

    dn:
    cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc=
     my,dc=domain
    passwordLockout: off
    passwordGraceLimit: 50
    passwordWarning: 86400
    passwordInHistory: 3
    passwordMinLength: 8
    passwordMinCategories: 3
    passwordStorageScheme: SSHA512
    passwordChange: on
    passwordMaxAge: 31536000
    passwordCheckSyntax: on
    passwordExp: on
    objectClass: top
    objectClass: ldapsubentry
    objectClass: passwordpolicy
    cn: cn=nsPwPolicyEntry,DC=my,DC=domain

    In a sub OU, I have this policy:

    #
    cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3
     Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain
    dn:
    cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\
     
2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain
    passwordLockout: off
    passwordGraceLimit: 50
    passwordStorageScheme: SSHA
    passwordChange: on
    passwordMaxAge: 31536000
    passwordCheckSyntax: off
    passwordExp: off
    objectClass: top
    objectClass: ldapsubentry
    objectClass: passwordpolicy
    cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain

    But when I try to add a prehashed password on this sub OU, I see
    this kind of error:
    LDAP: error code 19 - invalid password syntax - passwords with
    storage scheme are not allowed

    Is this an expected behavior even if in sub OU I have an
    password policy with passwordCheckSyntax set to off? If so, do I
    have any way to disable this behavior? (but I can not disable my
    global password policy)

    PS: The password policy is respecting the fact of
    passwordCheckSyntax is set to off when I try to add a simple
    password like '1234'.


    _______________________________________________
    389-users mailing list --389-us...@lists.fedoraproject.org
    <mailto:389-us...@lists.fedoraproject.org>
    To unsubscribe send an email to389-users-le...@lists.fedoraproject.org
    <mailto:389-users-le...@lists.fedoraproject.org>
    Fedora Code of Conduct:https://getfedora.org/code-of-conduct.html
    List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
    List 
Archives:https://lists.fedoraproject.org/archives/list/389-us...@lists.fedoraproject.org




_______________________________________________
389-users mailing list --389-us...@lists.fedoraproject.org
To unsubscribe send an email to389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:https://getfedora.org/code-of-conduct.html
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List 
Archives:https://lists.fedoraproject.org/archives/list/389-us...@lists.fedoraproject.org




_______________________________________________
389-users mailing list -- 389-us...@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-us...@lists.fedoraproject.org



_______________________________________________
389-users mailing list -- 389-us...@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-us...@lists.fedoraproject.org






















					Reply via email to