Re: [389-users] problems with password policies
I think I have this sorted. It looks like the problem is that the ns-newpwpolicy.pl uses '=' instead of its ascii value (\3D) in the rdn of the password policy itself and the costemplatedn attribute of the CoS specification. Below is what is working for me. -morgan check that nsslapd-pwpolicy-local is on $ ldapsearch -H ldaps://devsgldap01.domain.net -x -D cn=directory\ manager -y ~/Docs/.pass2 -LLLb cn=config -s base nsslapd-pwpolicy-local dn: cn=config nsslapd-pwpolicy-local: on $ top level container: $ ldapsearch -LLL -H ldaps://devsgldap01.domain.net -D cn=directory\ manager -x -y ~/Docs/.pass2 '(objectclass=nscontainer)' dn: cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org cn: nsPwPolicyContainer objectClass: top objectClass: nsContainer Password policy itself. Note that '=' has been replaced with '\3D' in the dn that is the rdn: $ ldapsearch -LLL -H ldaps://devsgldap01.domain.net -D cn=directory\ manager -x -y ~/Docs/.pass2 '(&(objectclass=ldapsubentry)(objectclass=passwordpolicy))' dn: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsPwP olicyContainer,ou=students,dc=domain,dc=org passwordMaxFailure: 10 passwordResetFailureCount: 600 passwordLockout: on passwordStorageScheme: ssha passwordCheckSyntax: on passwordChange: off passwordMinAge: 0 passwordExp: off passwordMustChange: off passwordMinLength: 6 objectClass: ldapsubentry objectClass: passwordpolicy objectClass: top cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org The cos template that has the pwdpolicysubentry value point to the above nsPwPolicyEntry entry. pwdpolicysubentry is operational, ask for it separately: $ ldapsearch -LLL -H ldaps://devsgldap01.domain.net -D cn=directory\ manager -x -y ~/Docs/.pass2 '(&(objectclass=ldapsubentry)(objectclass=costemplate))' dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP wPolicyContainer,ou=students,dc=domain,dc=org objectClass: extensibleObject objectClass: costemplate objectClass: ldapsubentry objectClass: top cosPriority: 1 cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org $ ldapsearch -LLL -H ldaps://devsgldap01.domain.net -D cn=directory\ manager -x -y ~/Docs/.pass2 '(&(objectclass=ldapsubentry)(objectclass=costemplate))' pwdpolicysubentry dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP wPolicyContainer,ou=students,dc=domain,dc=org pwdpolicysubentry: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc \3Dorg,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org CoS specification at the subtree level. Note that '=' has been replaced with '\3D' in costemplatedn: $ ldapsearch -LLL -H ldaps://devsgldap01.domain.net -D cn=directory\ manager -x -y ~/Docs/.pass2 '(&(objectclass=ldapsubentry)(objectclass=cossuperdefinition))' dn: cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org costemplatedn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3 Dorg,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org cn: nsPwPolicy_cos cosAttribute: pwdpolicysubentry default operational-default objectClass: top objectClass: LDAPsubentry objectClass: cosSuperDefinition objectClass: cosPointerDefinition On Aug 26, 2013, at 2:49 PM, Morgan Jones wrote: > > On Aug 23, 2013, at 4:02 AM, Ludwig Krispenz wrote: > >> Did you enable the global password policy and set nsslapd-pwpolicy-loca: on ? > > Yes, it is set > >> >> The admin guide (chapter 14.1.2) says that pwpolicy must be enabled >> globally before loacal policies are used. >> >> And I think your cos definition is incomplete: the costemplate needst hold a >> value for the cos attribute, >> pwdpolicysubentry: >> cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon >> tainer,ou=students,dc=domain,dc=org > > pwdpolicysubentry is set, it didn't show up on my search below because it's > apparently an operational attribute (I get it if I request it). It's set for > both of the templates--the one added by the command line and the one added by > the console: > > $ ldapsearch -H ldaps://devsgldapm01.domain.net -x -y ~/Docs/.pass2 -D > cn=directory\ manager -LLL > '(&(objectclass=costemplate)(objectclass=ldapsubentry))' pwdpolicysubentry > objectclass > dn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyC > ontainer,ou=students,dc=domain,dc=org > pwdpolicysubentry: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,c > n=nsPwPolicyContainer,ou=students,dc=domain,dc=org > objectclass: top > objectclass: extensibleObject > objectclass: costemplate > objectclass: ldapsubentry > > dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP > wPolicyContainer,ou=students,dc=domain,dc=org > pwdpolicysubentry: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc > \3Dorg,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org > objectclass: extensibleObject > objectclass: costemplate > objectclass: ldapsubentry > objectclass: top > > thanks, > > -mor
Re: [389-users] problems with password policies
On Aug 23, 2013, at 4:02 AM, Ludwig Krispenz wrote: > Did you enable the global password policy and set nsslapd-pwpolicy-loca: on ? Yes, it is set > > The admin guide (chapter 14.1.2) says that pwpolicy must be enabled globally > before loacal policies are used. > > And I think your cos definition is incomplete: the costemplate needst hold a > value for the cos attribute, > pwdpolicysubentry: > cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon > tainer,ou=students,dc=domain,dc=org pwdpolicysubentry is set, it didn't show up on my search below because it's apparently an operational attribute (I get it if I request it). It's set for both of the templates--the one added by the command line and the one added by the console: $ ldapsearch -H ldaps://devsgldapm01.domain.net -x -y ~/Docs/.pass2 -D cn=directory\ manager -LLL '(&(objectclass=costemplate)(objectclass=ldapsubentry))' pwdpolicysubentry objectclass dn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyC ontainer,ou=students,dc=domain,dc=org pwdpolicysubentry: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,c n=nsPwPolicyContainer,ou=students,dc=domain,dc=org objectclass: top objectclass: extensibleObject objectclass: costemplate objectclass: ldapsubentry dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP wPolicyContainer,ou=students,dc=domain,dc=org pwdpolicysubentry: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc \3Dorg,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org objectclass: extensibleObject objectclass: costemplate objectclass: ldapsubentry objectclass: top thanks, -morgan > > > Ludwig > > On 08/22/2013 11:06 PM, Morgan Jones wrote: >> Either I'm missing something or password policies just don't work in Redhat >> (CentOS) directory 8.2.8. >> >> I started by creating a subtree policy on the command line: >> >> # ./ns-newpwpolicy.pl -D cn=directory\ manager -w pass -h localhost -S >> ou=students,dc=domain,dc=org >> adding new entry cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org >> >> adding new entry >> cn=cn=nsPwPolicyEntry\,ou=students\,dc=domain\,dc=org,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org >> >> adding new entry >> cn=cn=nsPwTemplateEntry\,ou=students\,dc=domain\,dc=org,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org >> >> adding new entry cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org >> >> modifying entry cn=config >> >> >> >> The following were created: >> >> dn: cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org >> objectClass: top >> objectClass: nsContainer >> cn: nsPwPolicyContainer >> >> dn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyC >> ontainer,ou=students,dc=domain,dc=org >> objectClass: top >> objectClass: extensibleObject >> objectClass: costemplate >> objectClass: ldapsubentry >> cosPriority: 1 >> cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org >> >> dn: cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org >> objectClass: top >> objectClass: LDAPsubentry >> objectClass: cosSuperDefinition >> objectClass: cosPointerDefinition >> costemplatedn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn= >> nsPwPolicyContainer,ou=students,dc=domain,dc=org >> cosAttribute: pwdpolicysubentry default operational-default >> cn: nsPwPolicy_cos >> >> dn: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon >> tainer,ou=students,dc=domain,dc=org >> objectClass: top >> objectClass: ldapsubentry >> objectClass: passwordpolicy >> cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org >> >> >> >> >> I added the policy attributes we're interested in: >> >> dn: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon >> tainer,ou=students,dc=domain,dc=org >> passwordResetFailureCount: 600 >> passwordMaxFailure: 10 >> passwordLockout: on >> passwordMinLength: 6 >> objectClass: top >> objectClass: ldapsubentry >> objectClass: passwordpolicy >> cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org >> >> >> >> I then tried 11 ldapsearches as a user under ou=students,dc=domain,dc=org >> and the account was not locked out. >> >> >> >> I then checked the console and the settings weren't there. I set them and >> it added two additional entries: >> >> dn: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsPwP >> olicyContainer,ou=students,dc=domain,dc=org >> passwordMaxFailure: 10 >> passwordResetFailureCount: 600 >> passwordLockout: on >> passwordStorageScheme: ssha >> passwordCheckSyntax: on >> passwordChange: off >> passwordMinAge: 0 >> passwordExp: off >> passwordMustChange: off >> passwordMinLength: 6 >> objectClass: ldapsubentry >> objectClass: passwordpolicy >> objectClass: top >> cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org >> >> dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP >> wPolicyContainer,ou=students,dc=domain,dc=org >> objectCla
Re: [389-users] problems with password policies
Did you enable the global password policy and set /|nsslapd-pwpolicy-loca: on ?|/ The admin guide (chapter 14.1.2) says that pwpolicy must be enabled globally before loacal policies are used. And I think your cos definition is incomplete: the costemplate needst hold a value for the cos attribute, pwdpolicysubentry: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon tainer,ou=students,dc=domain,dc=org Ludwig On 08/22/2013 11:06 PM, Morgan Jones wrote|/:/|/||/ Either I'm missing something or password policies just don't work in Redhat (CentOS) directory 8.2.8. I started by creating a subtree policy on the command line: # ./ns-newpwpolicy.pl -D cn=directory\ manager -w pass -h localhost -S ou=students,dc=domain,dc=org adding new entry cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org adding new entry cn=cn=nsPwPolicyEntry\,ou=students\,dc=domain\,dc=org,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org adding new entry cn=cn=nsPwTemplateEntry\,ou=students\,dc=domain\,dc=org,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org adding new entry cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org modifying entry cn=config The following were created: dn: cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org objectClass: top objectClass: nsContainer cn: nsPwPolicyContainer dn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyC ontainer,ou=students,dc=domain,dc=org objectClass: top objectClass: extensibleObject objectClass: costemplate objectClass: ldapsubentry cosPriority: 1 cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org dn: cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org objectClass: top objectClass: LDAPsubentry objectClass: cosSuperDefinition objectClass: cosPointerDefinition costemplatedn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn= nsPwPolicyContainer,ou=students,dc=domain,dc=org cosAttribute: pwdpolicysubentry default operational-default cn: nsPwPolicy_cos dn: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon tainer,ou=students,dc=domain,dc=org objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org I added the policy attributes we're interested in: dn: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon tainer,ou=students,dc=domain,dc=org passwordResetFailureCount: 600 passwordMaxFailure: 10 passwordLockout: on passwordMinLength: 6 objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org I then tried 11 ldapsearches as a user under ou=students,dc=domain,dc=org and the account was not locked out. I then checked the console and the settings weren't there. I set them and it added two additional entries: dn: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsPwP olicyContainer,ou=students,dc=domain,dc=org passwordMaxFailure: 10 passwordResetFailureCount: 600 passwordLockout: on passwordStorageScheme: ssha passwordCheckSyntax: on passwordChange: off passwordMinAge: 0 passwordExp: off passwordMustChange: off passwordMinLength: 6 objectClass: ldapsubentry objectClass: passwordpolicy objectClass: top cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP wPolicyContainer,ou=students,dc=domain,dc=org objectClass: extensibleObject objectClass: costemplate objectClass: ldapsubentry objectClass: top cosPriority: 1 cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org However I still can't force a user to be locked out. I did set passwordIsGlobalPolicy to on under cn=config though as far as I can tell that only affects replication of password policies. Am I missing something? thanks, -morgan -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] problems with password policies
Either I'm missing something or password policies just don't work in Redhat (CentOS) directory 8.2.8. I started by creating a subtree policy on the command line: # ./ns-newpwpolicy.pl -D cn=directory\ manager -w pass -h localhost -S ou=students,dc=domain,dc=org adding new entry cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org adding new entry cn=cn=nsPwPolicyEntry\,ou=students\,dc=domain\,dc=org,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org adding new entry cn=cn=nsPwTemplateEntry\,ou=students\,dc=domain\,dc=org,cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org adding new entry cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org modifying entry cn=config The following were created: dn: cn=nsPwPolicyContainer,ou=students,dc=domain,dc=org objectClass: top objectClass: nsContainer cn: nsPwPolicyContainer dn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyC ontainer,ou=students,dc=domain,dc=org objectClass: top objectClass: extensibleObject objectClass: costemplate objectClass: ldapsubentry cosPriority: 1 cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org dn: cn=nsPwPolicy_cos,ou=students,dc=domain,dc=org objectClass: top objectClass: LDAPsubentry objectClass: cosSuperDefinition objectClass: cosPointerDefinition costemplatedn: cn=cn=nsPwTemplateEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn= nsPwPolicyContainer,ou=students,dc=domain,dc=org cosAttribute: pwdpolicysubentry default operational-default cn: nsPwPolicy_cos dn: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon tainer,ou=students,dc=domain,dc=org objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org I added the policy attributes we're interested in: dn: cn=cn=nsPwPolicyEntry\2Cou=students\2Cdc=domain\2Cdc=org,cn=nsPwPolicyCon tainer,ou=students,dc=domain,dc=org passwordResetFailureCount: 600 passwordMaxFailure: 10 passwordLockout: on passwordMinLength: 6 objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org I then tried 11 ldapsearches as a user under ou=students,dc=domain,dc=org and the account was not locked out. I then checked the console and the settings weren't there. I set them and it added two additional entries: dn: cn=cn\3DnsPwPolicyEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsPwP olicyContainer,ou=students,dc=domain,dc=org passwordMaxFailure: 10 passwordResetFailureCount: 600 passwordLockout: on passwordStorageScheme: ssha passwordCheckSyntax: on passwordChange: off passwordMinAge: 0 passwordExp: off passwordMustChange: off passwordMinLength: 6 objectClass: ldapsubentry objectClass: passwordpolicy objectClass: top cn: cn=nsPwPolicyEntry,ou=students,dc=domain,dc=org dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dstudents\2Cdc\3Ddomain\2Cdc\3Dorg,cn=nsP wPolicyContainer,ou=students,dc=domain,dc=org objectClass: extensibleObject objectClass: costemplate objectClass: ldapsubentry objectClass: top cosPriority: 1 cn: cn=nsPwTemplateEntry,ou=students,dc=domain,dc=org However I still can't force a user to be locked out. I did set passwordIsGlobalPolicy to on under cn=config though as far as I can tell that only affects replication of password policies. Am I missing something? thanks, -morgan -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users