Fedora directory users - Feb 2009 - Password policy don't work on a subtree

hello,

version : Directory Server 1.1.3 on Fedora 8 64 bits plateform

When i configure a password policy on a subtree of my directory, this 
policy do not works.
When i configure a global password policy, this global policy works but 
ignore locals policy of subtrees.

when i look at the databases ldif backup, il do not find the 
"passwordMinLength" attribute for local password policy for subtrees
but this attribut exists in dse ldif for the global policy !

how resolve this ?

regards

-- 
* Hugo Étiévant *

Hi,

 

Hugo Étiévant,

 

I believe you configured the sub tree password policy through
ns-newpwpolicy.pl script.

 

When you configure the global password policy it may override the sub tree
password policy. So make sure that ''nsslapd-pwpolicy-local'' is
''on'' in
cn=config entry of dse.ldif file to make the sub tree policy to work.

 

This attribute decides whether the local password policy is enabled or not.
Anyways the execution of ns-newpwpolicy.pl script will turn this attribute
value to ''on''.

 

However you cannot see any traces of sub tree  Password policy attributes by
searching cn=config tree or in dse.ldif file. It will show only global
password policy attributes.

 

You can see list of applied sub tree password policy attributes by
performing a search like this.

 

/opt/dirsrv/bin/ldapsearch -v -h <host> -p <port> \

-D "<managerDN>" -w <passwd> -b <suffix> 
objectclass=ldapsubentry

 

dn:cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolicyContainer,oumarketing,o=abc.com

objectClass: top

objectClass: ldapsubentry

objectClass: passwordpolicy

cn: cn=nsPwPolicyEntry,ou=marketing,o=abc.com

passwordExp: off

passwordMaxAge: 10

passwordWarning: 15

passwordGraceLimit: 1

pwdpolicysubentry:
cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolic

 yContainer,ou=marketing,o=abc.com

 

 

Regards,

ViSolve LDAP Team.

 

 

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Hugo
Etievant
Sent: Wednesday, February 25, 2009 9:41 PM
To: General discussion list for the Fedora Directory server project.
Subject: [Fedora-directory-users] Password policy don''t work on a
subtree

 

hello,

 

version : Directory Server 1.1.3 on Fedora 8 64 bits plateform

 

When i configure a password policy on a subtree of my directory, this 

policy do not works.

When i configure a global password policy, this global policy works but 

ignore locals policy of subtrees.

 

when i look at the databases ldif backup, il do not find the 

"passwordMinLength" attribute for local password policy for subtrees

but this attribut exists in dse ldif for the global policy !

 

how resolve this ?

 

regards

 

-- 

* Hugo Étiévant *

 

--

Fedora-directory-users mailing list

Fedora-directory-users@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-directory-users

hello,

I use only GUI for configuration. I do not use perl script.

I have checked the "Enable fine-grained password policy" on global 
Password Policy.
And i have configured a local Password policy on a subtree.
But this second policy do not work as it should : the minimum lenght of 
password is ignored.

"nsslapd-pwpolicy-local: on" appears my dse.ldif file

a ldap search show password policy but some attribut of my policy dos 
not appears !


exemple :
dn: cn="cn=nsPwPolicyEntry,ou=tests,dc=inrp, 
dc=fr",cn=nsPwPolicyContainer,ou tests,dc=inrp,dc=fr
passwordMinDigits: 1
passwordMinAlphas: 1
passwordStorageScheme: ssha
passwordGraceLimit: 0
passwordCheckSyntax: on
passwordMinTokenLength: 2
passwordInHistory: 10
passwordChange: on
passwordWarning: 0
passwordMinAge: 0
passwordHistory: on
passwordExp: on
passwordMustChange: off
passwordMaxAge: 63072000
objectClass: ldapsubentry
objectClass: passwordpolicy

here, the "passwordMinLen" attribute does not appear, but i have enter
this with GUI tool (value = "8" chars) !!!!

this is a bug ?


i apply the same policy for global and for local subtree but i have 
differents LDAP entries  !

global policy attributes :

nsslapd-security: on
nsslapd-pwpolicy-local: on
passwordMinLength: 8
passwordMinCategories: 3
passwordMinTokenLength: 2
passwordCheckSyntax: on
passwordMinAlphas: 1
passwordMinDigits: 1
passwordMaxAge: 63072000
passwordExp: on
passwordHistory: on
passwordWarning: 0
passwordInHistory: 10

local policy attributes :

passwordMinDigits: 1
passwordMinAlphas: 1
passwordStorageScheme: ssha
passwordGraceLimit: 0
passwordCheckSyntax: on
passwordMinTokenLength: 2
passwordInHistory: 10
passwordChange: on
passwordWarning: 0
passwordMinAge: 0
passwordHistory: on
passwordExp: on
passwordMustChange: off
passwordMaxAge: 63072000

here : passwordMinLen is losed !!!!!


=> how can i apply this rule about min length of password ?????


regards


Visolve LDAP Group a écrit :
>
>  
>
> Hi,
>
>  
>
> Hugo Étiévant,
>
>  
>
> I believe you configured the sub tree password policy through 
> ns-newpwpolicy.pl script.
>
>  
>
> When you configure the global password policy it may override the sub 
> tree password policy. So make sure that
''nsslapd-pwpolicy-local'' is
> ''on'' in cn=config entry of dse.ldif file to make the sub
tree policy
> to work.
>
>  
>
> This attribute decides whether the local password policy is enabled or 
> not. Anyways the execution of ns-newpwpolicy.pl script will turn this 
> attribute value to ''on''.
>
>  
>
> However you cannot see any traces of sub tree  Password policy 
> attributes by searching cn=config tree or in dse.ldif file. It will 
> show only global password policy attributes.
>
>  
>
> You can see list of applied *sub tree *password policy *attributes* by 
> performing a search like this.
>
>  
>
> /opt/dirsrv/bin/ldapsearch -v -h <host> -p <port> \
>
> -D "<managerDN>" -w <passwd> -b <suffix> 
*objectclass=ldapsubentry*
>
>  
>
>
dn:cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolicyContainer,ou=marketing,o=abc.com
>
> objectClass: top
>
> objectClass: ldapsubentry
>
> objectClass: passwordpolicy
>
> cn: cn=nsPwPolicyEntry,ou=marketing,o=abc.com
>
> passwordExp: off
>
> passwordMaxAge: 10
>
> passwordWarning: 15
>
> passwordGraceLimit: 1
>
> pwdpolicysubentry: 
> cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolic
>
>  yContainer,ou=marketing,o=abc.com
>
>  
>
>  
>
> Regards,
>
> ViSolve LDAP Team.
>
>  
>
>  
>
> -----Original Message-----
> From: fedora-directory-users-bounces@redhat.com 
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Hugo 
> Etievant
> Sent: Wednesday, February 25, 2009 9:41 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: [Fedora-directory-users] Password policy don''t work on a
subtree
>
>  
>
> hello,
>
>  
>
> version : Directory Server 1.1.3 on Fedora 8 64 bits plateform
>
>  
>
> When i configure a password policy on a subtree of my directory, this
>
> policy do not works.
>
> When i configure a global password policy, this global policy works but
>
> ignore locals policy of subtrees.
>
>  
>
> when i look at the databases ldif backup, il do not find the
>
> "passwordMinLength" attribute for local password policy for
subtrees
>
> but this attribut exists in dse ldif for the global policy !
>
>  
>
> how resolve this ?
>
>  
>
>

-- 
* Hugo Étiévant *
*Bibliothèque Denis Diderot
Coordinateur informatique du Projet SID (Système d''Information 
Documentaire)*
hugo.etievant@inrp.fr <mailto:hugo.etievant@inrp.fr>
Tel : 04 72 76 61 13   -  Fax : 04 72 76 61 10

Visolve LDAP Group wrote:
>
>  
>
> Hi,
>
>  
>
> Hugo Étiévant,
>
>  
>
> I believe you configured the sub tree password policy through 
> ns-newpwpolicy.pl script.
>
>  
>
> When you configure the global password policy it may override the sub 
> tree password policy. So make sure that
''nsslapd-pwpolicy-local'' is
> ''on'' in cn=config entry of dse.ldif file to make the sub
tree policy
> to work.
>
>  
>
> This attribute decides whether the local password policy is enabled or 
> not. Anyways the execution of ns-newpwpolicy.pl script will turn this 
> attribute value to ''on''.
>
>  
>
> However you cannot see any traces of sub tree  Password policy 
> attributes by searching cn=config tree or in dse.ldif file. It will 
> show only global password policy attributes.
>
>  
>
> You can see list of applied *sub tree *password policy *attributes* by 
> performing a search like this.
>
>  
>
> /opt/dirsrv/bin/ldapsearch -v -h <host> -p <port> \
>
> -D "<managerDN>" -w <passwd> -b <suffix> 
*objectclass=ldapsubentry*
>
>  
>
>
dn:cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolicyContainer,ou=marketing,o=abc.com
>
> objectClass: top
>
> objectClass: ldapsubentry
>
> objectClass: passwordpolicy
>
> cn: cn=nsPwPolicyEntry,ou=marketing,o=abc.com
>
> passwordExp: off
>
> passwordMaxAge: 10
>
> passwordWarning: 15
>
> passwordGraceLimit: 1
>
> pwdpolicysubentry: 
> cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolic
>
>  yContainer,ou=marketing,o=abc.com
>
If you set a local password policy like this, _it will not use the 
global settings at all_ - it will not fallback on the global settings in 
cn=config - you must specify all of the parameters you care about in 
your local password policy.  If you do not, it will fallback on either 
nothing or the hardcoded default in the server itself.
>
>  
>
>  
>
> Regards,
>
> ViSolve LDAP Team.
>
>  
>
>  
>
> -----Original Message-----
> From: fedora-directory-users-bounces@redhat.com 
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Hugo 
> Etievant
> Sent: Wednesday, February 25, 2009 9:41 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: [Fedora-directory-users] Password policy don''t work on a
subtree
>
>  
>
> hello,
>
>  
>
> version : Directory Server 1.1.3 on Fedora 8 64 bits plateform
>
>  
>
> When i configure a password policy on a subtree of my directory, this
>
> policy do not works.
>
> When i configure a global password policy, this global policy works but
>
> ignore locals policy of subtrees.
>
>  
>
> when i look at the databases ldif backup, il do not find the
>
> "passwordMinLength" attribute for local password policy for
subtrees
>
> but this attribut exists in dse ldif for the global policy !
>
>  
>
> how resolve this ?
>
>  
>
> regards
>
>  
>
> -- 
>
> * Hugo Étiévant *
>
>  
>
> --
>
> Fedora-directory-users mailing list
>
> Fedora-directory-users@redhat.com
>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Hugo Etievant wrote:
> hello,
>
> I use only GUI for configuration. I do not use perl script.
The GUI does the same thing as the perl script.
>
> I have checked the "Enable fine-grained password policy" on
global
> Password Policy.
> And i have configured a local Password policy on a subtree.
> But this second policy do not work as it should : the minimum lenght 
> of password is ignored.
>
> "nsslapd-pwpolicy-local: on" appears my dse.ldif file
>
> a ldap search show password policy but some attribut of my policy dos 
> not appears !
>
>
> exemple :
> dn: cn="cn=nsPwPolicyEntry,ou=tests,dc=inrp, 
> dc=fr",cn=nsPwPolicyContainer,ou> tests,dc=inrp,dc=fr
> passwordMinDigits: 1
> passwordMinAlphas: 1
> passwordStorageScheme: ssha
> passwordGraceLimit: 0
> passwordCheckSyntax: on
> passwordMinTokenLength: 2
> passwordInHistory: 10
> passwordChange: on
> passwordWarning: 0
> passwordMinAge: 0
> passwordHistory: on
> passwordExp: on
> passwordMustChange: off
> passwordMaxAge: 63072000
> objectClass: ldapsubentry
> objectClass: passwordpolicy
>
> here, the "passwordMinLen" attribute does not appear, but i have
enter
> this with GUI tool (value = "8" chars) !!!!
>
> this is a bug ?
>
>
> i apply the same policy for global and for local subtree but i have 
> differents LDAP entries  !
>
> global policy attributes :
>
> nsslapd-security: on
> nsslapd-pwpolicy-local: on
> passwordMinLength: 8
> passwordMinCategories: 3
> passwordMinTokenLength: 2
> passwordCheckSyntax: on
> passwordMinAlphas: 1
> passwordMinDigits: 1
> passwordMaxAge: 63072000
> passwordExp: on
> passwordHistory: on
> passwordWarning: 0
> passwordInHistory: 10
>
> local policy attributes :
>
> passwordMinDigits: 1
> passwordMinAlphas: 1
> passwordStorageScheme: ssha
> passwordGraceLimit: 0
> passwordCheckSyntax: on
> passwordMinTokenLength: 2
> passwordInHistory: 10
> passwordChange: on
> passwordWarning: 0
> passwordMinAge: 0
> passwordHistory: on
> passwordExp: on
> passwordMustChange: off
> passwordMaxAge: 63072000
>
> here : passwordMinLen is losed !!!!!
Is passwordMinLength the only attribute you cannot set in your local 
password policy?  Do you have this problem with any other
attribute?
>
>
> => how can i apply this rule about min length of password ?????
>
>
> regards
>
>
> Visolve LDAP Group a écrit :
>>
>>  
>>
>> Hi,
>>
>>  
>>
>> Hugo Étiévant,
>>
>>  
>>
>> I believe you configured the sub tree password policy through 
>> ns-newpwpolicy.pl script.
>>
>>  
>>
>> When you configure the global password policy it may override the sub 
>> tree password policy. So make sure that
''nsslapd-pwpolicy-local'' is
>> ''on'' in cn=config entry of dse.ldif file to make the
sub tree policy
>> to work.
>>
>>  
>>
>> This attribute decides whether the local password policy is enabled 
>> or not. Anyways the execution of ns-newpwpolicy.pl script will turn 
>> this attribute value to ''on''.
>>
>>  
>>
>> However you cannot see any traces of sub tree  Password policy 
>> attributes by searching cn=config tree or in dse.ldif file. It will 
>> show only global password policy attributes.
>>
>>  
>>
>> You can see list of applied *sub tree *password policy *attributes* 
>> by performing a search like this.
>>
>>  
>>
>> /opt/dirsrv/bin/ldapsearch -v -h <host> -p <port> \
>>
>> -D "<managerDN>" -w <passwd> -b <suffix> 
*objectclass=ldapsubentry*
>>
>>  
>>
>>
dn:cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolicyContainer,ou=marketing,o=abc.com
>>
>>
>> objectClass: top
>>
>> objectClass: ldapsubentry
>>
>> objectClass: passwordpolicy
>>
>> cn: cn=nsPwPolicyEntry,ou=marketing,o=abc.com
>>
>> passwordExp: off
>>
>> passwordMaxAge: 10
>>
>> passwordWarning: 15
>>
>> passwordGraceLimit: 1
>>
>> pwdpolicysubentry: 
>> cn="cn=nsPwPolicyEntry,ou=marketing,o=abc.com",cn=nsPwPolic
>>
>>  yContainer,ou=marketing,o=abc.com
>>
>>  
>>
>>  
>>
>> Regards,
>>
>> ViSolve LDAP Team.
>>
>>  
>>
>>  
>>
>> -----Original Message-----
>> From: fedora-directory-users-bounces@redhat.com 
>> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Hugo 
>> Etievant
>> Sent: Wednesday, February 25, 2009 9:41 PM
>> To: General discussion list for the Fedora Directory server project.
>> Subject: [Fedora-directory-users] Password policy don''t work
on a
>> subtree
>>
>>  
>>
>> hello,
>>
>>  
>>
>> version : Directory Server 1.1.3 on Fedora 8 64 bits plateform
>>
>>  
>>
>> When i configure a password policy on a subtree of my directory, this
>>
>> policy do not works.
>>
>> When i configure a global password policy, this global policy works but
>>
>> ignore locals policy of subtrees.
>>
>>  
>>
>> when i look at the databases ldif backup, il do not find the
>>
>> "passwordMinLength" attribute for local password policy for
subtrees
>>
>> but this attribut exists in dse ldif for the global policy !
>>
>>  
>>
>> how resolve this ?
>>
>>  
>>
>>
>
>

Rich Megginson a écrit :
> Hugo Etievant wrote:
>> hello,
>>
>> I use only GUI for configuration. I do not use perl script.
> The GUI does the same thing as the perl script.
>>
>> here : passwordMinLen is losed !!!!!
> Is passwordMinLength the only attribute you cannot set in your local 
> password policy?  Do you have this problem with any other attribute? 
yes! passwordMinLength is the only one attribute with problem !


-- 
* Hugo Étiévant *
*Bibliothèque Denis Diderot
Coordinateur informatique du Projet SID (Système d''Information 
Documentaire)*
hugo.etievant@inrp.fr <mailto:hugo.etievant@inrp.fr>
Tel : 04 72 76 61 13   -  Fax : 04 72 76 61 10