[Freeipa-users] compat settings
Dmitri Pal
dpal at redhat.com
Sat Jun 27 01:47:58 UTC 2015
On 05/21/2015 02:59 AM, Rudolf Gabler wrote:
> Hi to whom it may concern,
>
>
> we used for many years a 2 location policy to separate email users
> from unix users in order to not using the same passwords. So we had 2
> trees in our LDAP with the same user but different passwords.
Sorry for reviving this thread a month later.
I am a bit puzzled. On one hand I hear a lot of desire of the
consolidation on the single account and making sure the password the
user has is compliant with the central policies.
On the other side I continue to come across the cases when single
account needs more than one password. And I am really confused why?
Would using OTP for example be a good enough alternative? What is the
practical reason to force user to have more than one password in the
enterprise environment?
I wonder does OTP auth with IPA native tokens work against compat tree?
It should...
So with OTP it is always different password for two accounts. Should be
good enough. No?
What am I missing?
Dmitri
>
> In freeipa (where we want to migrate now) I can use the accounts and
> compat (for email) trees for this purpose and so I added a
>
> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
> changetype: modify
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: userPassword=*
> to the compat settings to have a separate place for the password (!not userPassword=%{userPassword}, because then the accounts password are mirrored). This works, but I'm not allowed to change the password i.e. with:
> ldappasswd -x -D "cn=Directory Manager" -W -S uid=myuser,cn=users,cn=compat,dc=example,dc=com
> I get a result of:
>
> No such object (32)
> Additional info: Failed to update password
>
> where as for the accounts tree the ldappasswd is working fine.
> What additional setting may be required?
>
> Regards,
> Rudi Gabler
>
>
>
>
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150626/7087a210/attachment.htm>
More information about the Freeipa-users
mailing list