[Freeipa-users] compat settings

Dmitri Pal dpal at redhat.com
Sat Jun 27 01:47:58 UTC 2015 

On 05/21/2015 02:59 AM, Rudolf Gabler wrote:
> Hi to whom it may concern,
>
>
> we used for many years a 2 location policy to separate email users 
> from unix users in order to not using the same passwords. So we had 2 
> trees in our LDAP with the same user but different passwords.


Sorry for reviving this thread a month later.

I am a bit puzzled. On one hand I hear a lot of desire of the 
consolidation on the single account and making sure the password the 
user has is compliant with the central policies.
On the other side I continue to come across the cases when single 
account needs more than one password. And I am really confused why?
Would using OTP for example be a good enough alternative? What is the 
practical reason to force user to have more than one password in the 
enterprise environment?

I wonder does OTP auth with IPA native tokens work against compat tree? 
It should...
So with OTP it is always different password for two accounts. Should be 
good enough. No?

What am I missing?

Dmitri

>
> In freeipa (where we want to migrate now) I can use the accounts and 
> compat (for email) trees for this purpose and so I added a
>
> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
> changetype: modify
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: userPassword=*
> to the compat settings  to have a separate place for the password (!not userPassword=%{userPassword}, because then the accounts password are mirrored). This works, but I'm not allowed to change the password i.e. with:
>   ldappasswd -x  -D "cn=Directory Manager" -W -S uid=myuser,cn=users,cn=compat,dc=example,dc=com
> I get a result of:
>
> No such object (32)
> Additional info: Failed to update password
>
> where as for the accounts tree the ldappasswd is working fine.
> What additional setting may be required?
>
> Regards,
> Rudi Gabler
>
>
>
>


-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150626/7087a210/attachment.htm>

More information about the Freeipa-users mailing list