[Fedora-directory-users] FDS Password policy and passsync

Hugo Etievant hugo.etievant at inrp.fr
Thu Mar 12 14:15:21 UTC 2009 

hi,

I  find the explanation of my problem :  unicode char are accepted by 
Windows Server but refused by FDS.
Only 7 bit chars are accepted for userpassword in FDS.

I disabled the "enforce clean 7 bits attribute value" for userPassword 
attribute in the "7 bits plugin" of my DS with the IDM Console.
Now Unicodes password are accepted by FDS and passsync do not fail.

ldapsearch comand line accept unicode password, but some applications 
(Thunderbird) do not accept unicode password !!!!


Have you a solution for me ?
Can i enfore 7 bits clean into Windows server 2003 ????


regards



Hugo Etievant a écrit :
> hello,
>
> Step 1 :
> A have create a replication agreement betwen a FDS (DS 1.1.3 on Fedora 
> 8) server and a Windows 2003 Server (Active Directory).
> User's passwords are successfully synchronized.
>
> Step 2 :
> I activated password policy in FDS and in AD.
> Password policies are identical.
>
> But some passwords are not synchronized betwen AD and FDS (in this way 
> only).
> error message in log :
>
> 03/12/09 09:49:01: Ldap error in ModifyPassword
>     19: Constraint violation
> 03/12/09 09:49:01: Modify password failed for remote entry: 
> uid=foobar,ou=people,dc=inrp,dc=fr
> 03/12/09 09:49:01: Deferring password change for foobar
>
>
> details of password policy in FDS :
>
> nsslapd-security: on
> nsslapd-auditlog-logging-enabled: on
> nsslapd-errorlog-level: 8192
> nsslapd-pwpolicy-local: on
> passwordMinLength: 8
> passwordMinCategories: 3
> passwordMinTokenLength: 2
> passwordCheckSyntax: on
> passwordMinAlphas: 0
> passwordMinDigits: 0
> passwordMaxAge: 63072000 (secondes = 730 days)
> passwordExp: on
> passwordHistory: on
> passwordWarning: 0
> passwordInHistory: 10
>
> details of password policy in AD (i use "Windows Server 2003 Password 
> Complexity Requirements") :
>
>     * Passwords cannot contain the user's account name or parts of the
>       user's full name that exceed two consecutive characters.
>     * Passwords must be at least 6 characters in length.
>     * Passwords must contain characters from three of the following
>       four categories:
>
>   1.
>       English uppercase characters (A through Z).
>   2.
>       English lowercase characters (a through z).
>   3.
>       Base 10 digits (0 through 9).
>   4.
>       Non-alphabetic characters (for example, !, $, #, %).
>
> password history = 10
> max age : 730 days
> password min len : 8
>
>
>
>
>
> Why some of my users ahve problems (FDS no not accept new Windows 
> password) ?
>
> regards
>
> -- 
> * Hugo Étiévant
> *


-- 
* Hugo Étiévant *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090312/bef7dadb/attachment.htm>

More information about the Fedora-directory-users mailing list