[Fedora-directory-users] Password policy don't work on a subtree

Hugo Etievant hugo.etievant at inrp.fr
Thu Feb 26 14:51:09 UTC 2009 

hello,

I use only GUI for configuration. I do not use perl script.

I have checked the "Enable fine-grained password policy" on global 
Password Policy.
And i have configured a local Password policy on a subtree.
But this second policy do not work as it should : the minimum lenght of 
password is ignored.

"nsslapd-pwpolicy-local: on" appears my dse.ldif file

a ldap search show password policy but some attribut of my policy dos 
not appears !


exemple :
dn: cn="cn=nsPwPolicyEntry,ou=tests,dc=inrp, 
dc=fr",cn=nsPwPolicyContainer,ou=
 tests,dc=inrp,dc=fr
passwordMinDigits: 1
passwordMinAlphas: 1
passwordStorageScheme: ssha
passwordGraceLimit: 0
passwordCheckSyntax: on
passwordMinTokenLength: 2
passwordInHistory: 10
passwordChange: on
passwordWarning: 0
passwordMinAge: 0
passwordHistory: on
passwordExp: on
passwordMustChange: off
passwordMaxAge: 63072000
objectClass: ldapsubentry
objectClass: passwordpolicy

here, the "passwordMinLen" attribute does not appear, but i have enter 
this with GUI tool (value = "8" chars) !!!!

this is a bug ?


i apply the same policy for global and for local subtree but i have 
differents LDAP entries  !

global policy attributes :

nsslapd-security: on
nsslapd-pwpolicy-local: on
passwordMinLength: 8
passwordMinCategories: 3
passwordMinTokenLength: 2
passwordCheckSyntax: on
passwordMinAlphas: 1
passwordMinDigits: 1
passwordMaxAge: 63072000
passwordExp: on
passwordHistory: on
passwordWarning: 0
passwordInHistory: 10

local policy attributes :

passwordMinDigits: 1
passwordMinAlphas: 1
passwordStorageScheme: ssha
passwordGraceLimit: 0
passwordCheckSyntax: on
passwordMinTokenLength: 2
passwordInHistory: 10
passwordChange: on
passwordWarning: 0
passwordMinAge: 0
passwordHistory: on
passwordExp: on
passwordMustChange: off
passwordMaxAge: 63072000

here : passwordMinLen is losed !!!!!


=> how can i apply this rule about min length of password ?????


regards


Visolve LDAP Group a écrit :
>
>  
>
> Hi,
>
>  
>
> Hugo Étiévant,
>
>  
>
> I believe you configured the sub tree password policy through 
> ns-newpwpolicy.pl script.
>
>  
>
> When you configure the global password policy it may override the sub 
> tree password policy. So make sure that 'nsslapd-pwpolicy-local' is 
> 'on' in cn=config entry of dse.ldif file to make the sub tree policy 
> to work.
>
>  
>
> This attribute decides whether the local password policy is enabled or 
> not. Anyways the execution of ns-newpwpolicy.pl script will turn this 
> attribute value to 'on'.
>
>  
>
> However you cannot see any traces of sub tree  Password policy 
> attributes by searching cn=config tree or in dse.ldif file. It will 
> show only global password policy attributes.
>
>  
>
> You can see list of applied *sub tree *password policy *attributes* by 
> performing a search like this.
>
>  
>
> /opt/dirsrv/bin/ldapsearch -v -h <host> -p <port> \
>
> -D "<managerDN>" -w <passwd> -b <suffix>  *objectclass=ldapsubentry*
>
>  
>
> dn:cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolicyContainer,ou=marketing,o=abc.com
>
> objectClass: top
>
> objectClass: ldapsubentry
>
> objectClass: passwordpolicy
>
> cn: cn=nsPwPolicyEntry,ou=marketing,o=abc.com
>
> passwordExp: off
>
> passwordMaxAge: 10
>
> passwordWarning: 15
>
> passwordGraceLimit: 1
>
> pwdpolicysubentry: 
> cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolic
>
>  yContainer,ou=marketing,o=abc.com
>
>  
>
>  
>
> Regards,
>
> ViSolve LDAP Team.
>
>  
>
>  
>
> -----Original Message-----
> From: fedora-directory-users-bounces at redhat.com 
> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Hugo 
> Etievant
> Sent: Wednesday, February 25, 2009 9:41 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: [Fedora-directory-users] Password policy don't work on a subtree
>
>  
>
> hello,
>
>  
>
> version : Directory Server 1.1.3 on Fedora 8 64 bits plateform
>
>  
>
> When i configure a password policy on a subtree of my directory, this
>
> policy do not works.
>
> When i configure a global password policy, this global policy works but
>
> ignore locals policy of subtrees.
>
>  
>
> when i look at the databases ldif backup, il do not find the
>
> "passwordMinLength" attribute for local password policy for subtrees
>
> but this attribut exists in dse ldif for the global policy !
>
>  
>
> how resolve this ?
>
>  
>
>


-- 
* Hugo Étiévant *
*Bibliothèque Denis Diderot
Coordinateur informatique du Projet SID (Système d'Information 
Documentaire)*
hugo.etievant at inrp.fr <mailto:hugo.etievant at inrp.fr>
Tel : 04 72 76 61 13   -  Fax : 04 72 76 61 10

More information about the Fedora-directory-users mailing list