Gerrard Geldenhuis wrote: >>> Does local password policy settings get replicated? >>> I would assume yes because it is writes: >>> >>> dn: cn=cn=nsPwPolicyEntry\,uid=jdoe\,ou=people\,dc=example\,dc=com, >>> cn=nsPwPolicyContainer,ou=people,dc=example,dc=com >>> objectclass: top >>> objectclass: extensibleObject >>> objectclass: ldapsubentry >>> objectclass: passwordpolicy >>> >>> according to the documentation. >>> >>> ( after typing this email I am doubting my assumption ) >>> >>> Can I thus change password policy for a subtree only once or should I be >>> changing it on all servers regardless? >>> >>> >> Yes, but you also have to separately activate global password policy on >> each server: >> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#User_Account_Management->Managing_the_Password_Policy >> You must "Enable Fine Grained Password Policy" on every server. >> > > Ok, excellent so it does get replicated if it is local but not if it is > global. > Yes. cn=config settings are not replicated. > I was aware that I have to set it manually on a global level which is why I > asked the question. It is a bit confusing that local password policies will > get replicated but not global passwor policies. I will raise an enhancement > request in bugzilla to make sure that this distinction is added to the > documentation. > > On a related note,.. the documentation mentions that there is a bug: > 13.1.1.5. Manually Setting Default Password Syntax Checking for Local > Password Policies > <cut> > However, there is a bug in Directory Server, so that if a password policy > attribute is set in the global password policy but not in the local password > policy, then neither the global setting nor the default settings is enforced > by the local password policy. To work around this, set the password > attributes explicitly in the local password policy. > > I am sure I saw a fixed bugzilla for it but going through the release notes > https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0 > I can't see any mention of this bug being fixed > I'm not sure which bug you mean. You opened this bug which is related but not the same: https://bugzilla.redhat.com/show_bug.cgi?id=627993
There is an old bug about the global/local default settings issue: https://bugzilla.redhat.com/show_bug.cgi?id=190862 > Can you confirm that this is still a bug or has been resolved. If it has been > resolved I will raise another bugzilla to remove this from the documentation. > > Best Regards > > ________________________________________________________________________ > In order to protect our email recipients, Betfair Group use SkyScan from > MessageLabs to scan all Incoming and Outgoing mail for viruses. > > ________________________________________________________________________ > -- > 389 users mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
