[Fedora-directory-users] Password policy don't work on a subtree

Rich Megginson rmeggins at redhat.com
Thu Feb 26 15:55:21 UTC 2009 

Hugo Etievant wrote:
> hello,
>
> I use only GUI for configuration. I do not use perl script.
The GUI does the same thing as the perl script.
>
> I have checked the "Enable fine-grained password policy" on global 
> Password Policy.
> And i have configured a local Password policy on a subtree.
> But this second policy do not work as it should : the minimum lenght 
> of password is ignored.
>
> "nsslapd-pwpolicy-local: on" appears my dse.ldif file
>
> a ldap search show password policy but some attribut of my policy dos 
> not appears !
>
>
> exemple :
> dn: cn="cn=nsPwPolicyEntry,ou=tests,dc=inrp, 
> dc=fr",cn=nsPwPolicyContainer,ou=
> tests,dc=inrp,dc=fr
> passwordMinDigits: 1
> passwordMinAlphas: 1
> passwordStorageScheme: ssha
> passwordGraceLimit: 0
> passwordCheckSyntax: on
> passwordMinTokenLength: 2
> passwordInHistory: 10
> passwordChange: on
> passwordWarning: 0
> passwordMinAge: 0
> passwordHistory: on
> passwordExp: on
> passwordMustChange: off
> passwordMaxAge: 63072000
> objectClass: ldapsubentry
> objectClass: passwordpolicy
>
> here, the "passwordMinLen" attribute does not appear, but i have enter 
> this with GUI tool (value = "8" chars) !!!!
>
> this is a bug ?
>
>
> i apply the same policy for global and for local subtree but i have 
> differents LDAP entries  !
>
> global policy attributes :
>
> nsslapd-security: on
> nsslapd-pwpolicy-local: on
> passwordMinLength: 8
> passwordMinCategories: 3
> passwordMinTokenLength: 2
> passwordCheckSyntax: on
> passwordMinAlphas: 1
> passwordMinDigits: 1
> passwordMaxAge: 63072000
> passwordExp: on
> passwordHistory: on
> passwordWarning: 0
> passwordInHistory: 10
>
> local policy attributes :
>
> passwordMinDigits: 1
> passwordMinAlphas: 1
> passwordStorageScheme: ssha
> passwordGraceLimit: 0
> passwordCheckSyntax: on
> passwordMinTokenLength: 2
> passwordInHistory: 10
> passwordChange: on
> passwordWarning: 0
> passwordMinAge: 0
> passwordHistory: on
> passwordExp: on
> passwordMustChange: off
> passwordMaxAge: 63072000
>
> here : passwordMinLen is losed !!!!!
Is passwordMinLength the only attribute you cannot set in your local 
password policy?  Do you have this problem with any other attribute?
>
>
> => how can i apply this rule about min length of password ?????
>
>
> regards
>
>
> Visolve LDAP Group a écrit :
>>
>>  
>>
>> Hi,
>>
>>  
>>
>> Hugo Étiévant,
>>
>>  
>>
>> I believe you configured the sub tree password policy through 
>> ns-newpwpolicy.pl script.
>>
>>  
>>
>> When you configure the global password policy it may override the sub 
>> tree password policy. So make sure that 'nsslapd-pwpolicy-local' is 
>> 'on' in cn=config entry of dse.ldif file to make the sub tree policy 
>> to work.
>>
>>  
>>
>> This attribute decides whether the local password policy is enabled 
>> or not. Anyways the execution of ns-newpwpolicy.pl script will turn 
>> this attribute value to 'on'.
>>
>>  
>>
>> However you cannot see any traces of sub tree  Password policy 
>> attributes by searching cn=config tree or in dse.ldif file. It will 
>> show only global password policy attributes.
>>
>>  
>>
>> You can see list of applied *sub tree *password policy *attributes* 
>> by performing a search like this.
>>
>>  
>>
>> /opt/dirsrv/bin/ldapsearch -v -h <host> -p <port> \
>>
>> -D "<managerDN>" -w <passwd> -b <suffix>  *objectclass=ldapsubentry*
>>
>>  
>>
>> dn:cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolicyContainer,ou=marketing,o=abc.com 
>>
>>
>> objectClass: top
>>
>> objectClass: ldapsubentry
>>
>> objectClass: passwordpolicy
>>
>> cn: cn=nsPwPolicyEntry,ou=marketing,o=abc.com
>>
>> passwordExp: off
>>
>> passwordMaxAge: 10
>>
>> passwordWarning: 15
>>
>> passwordGraceLimit: 1
>>
>> pwdpolicysubentry: 
>> cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolic
>>
>>  yContainer,ou=marketing,o=abc.com
>>
>>  
>>
>>  
>>
>> Regards,
>>
>> ViSolve LDAP Team.
>>
>>  
>>
>>  
>>
>> -----Original Message-----
>> From: fedora-directory-users-bounces at redhat.com 
>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Hugo 
>> Etievant
>> Sent: Wednesday, February 25, 2009 9:41 PM
>> To: General discussion list for the Fedora Directory server project.
>> Subject: [Fedora-directory-users] Password policy don't work on a 
>> subtree
>>
>>  
>>
>> hello,
>>
>>  
>>
>> version : Directory Server 1.1.3 on Fedora 8 64 bits plateform
>>
>>  
>>
>> When i configure a password policy on a subtree of my directory, this
>>
>> policy do not works.
>>
>> When i configure a global password policy, this global policy works but
>>
>> ignore locals policy of subtrees.
>>
>>  
>>
>> when i look at the databases ldif backup, il do not find the
>>
>> "passwordMinLength" attribute for local password policy for subtrees
>>
>> but this attribut exists in dse ldif for the global policy !
>>
>>  
>>
>> how resolve this ?
>>
>>  
>>
>>
>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090226/6ece362a/attachment.bin>

More information about the Fedora-directory-users mailing list