From: Mark Reynolds <email@example.com>
Sent: Friday, September 24, 2021 9:38 AM
To: General discussion list for the 389 Directory server project. <firstname.lastname@example.org>; Michael Starling <email@example.com>
Subject: Re: [389-users] Password lockout policy max failure.
On 9/24/21 9:23 AM, Michael Starling wrote:
I'm having an issue where we have passwordMaxFailure set to "5" in the global policy but users are getting locked out after 3 attempts.
This is because you have a mix of global and local policies. Local policies override the global policy.
In the local policy you did NOT set passwordMaxFailure, so it uses the default of 3. If you don't need separate policies then just use the global policy for everything and remove he local policies.
On a side note, if you are using dsconf on the same system as the directory server you can simplify the cli usage to use LDAPI, and it's much less to type:
dsconf -W -D cn=manager ldaps://dsa101.mydomain.com:636 pwpolicy get
This can become:
# dsconf slapd-YOUR_INSTANCE_NAME pwpolicy get
You can even shorten this by removing the "slapd-" prefix:
# dsconf YOUR_INSTANCE_NAME pwpolicy get
It's just easier to explain this the first time by using the "slapi-", but it's completely optional. So on my system my hostname and instance name are localhost. So I use all the CLI tools like this:
# dsconf localhost pwpolicy get
This only works if you run dsconf on the DS machine, and you need to run it as root. This works for all the CLI tools (dsidm, dsctl, and dsconf)
Once again, great information Mark.
So essentially, I need to set passwordMaxFailure 5 in the local policy as well?
Correct, or remove the local policy (unless you need it).
ThanksRight now, when a user is locked out the only way I can tell is by looking at the attributes below.One is likely to assume that once the "accountUnlockTime" attribute has been set on an account, the account is indeed locked out. accountUnlockTime: 20210920190503Z passwordRetryCount: 3 retryCountResetTime: 20210920181413Z
[mstarling@dsa101 ~]$ dsconf -W -D cn=manager ldaps://dsa101.mydomain.com:636 pwpolicy getGlobal Password Policy: cn=config------------------------------------nsslapd-pwpolicy-local: onpasswordstoragescheme: SSHA512passwordchange: onpasswordmustchange: offpasswordhistory: onpasswordinhistory: 10passwordadmindn: cn=Generic_PasswordPolicy_Override,ou=LDAPadmin,dc=mydomain,dc=compasswordtrackupdatetime: onpasswordwarning: 86400passwordisglobalpolicy: onpasswordexp: onpasswordmaxage: 7776000passwordminage: 86400passwordgracelimit: 0passwordsendexpiringtime: offpasswordlockout: onpasswordunlock: onpasswordlockoutduration: 600passwordmaxfailure: 5passwordresetfailurecount: 600passwordchecksyntax: offpasswordminlength: 48passwordmindigits: 0passwordminalphas: 0passwordminuppers: 0passwordminlowers: 0passwordminspecials: 0passwordmin8bit: 0passwordmaxrepeats: 0passwordpalindrome: offpasswordmaxsequence: 0passwordmaxseqsets: 0passwordmaxclasschars: 0passwordmincategories: 5passwordmintokenlength: 3passwordbadwords: athena health interfacepassworduserattributes: cn uid sn givenName mail gecos homeDirectorypassworddictcheck: onpassworddictpath: /usr/lib64/security/pam_cracklib.sonsslapd-allow-hashed-passwords: onnsslapd-pwpolicy-inherit-global: on
dsconf -W -D cn=manager ldaps://dsa101.mydomain.com:636 localpwp get "ou=People,dc=mydomain,dc=com"
Local Subtree Policy Policy for "ou=People,dc=mydomain,dc=com": cn=cn\3DnsPwPolicyEntry_subtree\2Cou\3DPeople\2Cdc\3Dmydomain\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=mydomain,dc=com------------------------------------passwordstoragescheme: SSHA512passwordmustchange: offpasswordhistory: onpasswordtrackupdatetime: onpasswordexp: onpasswordmaxage: 7776000passwordlockout: onpasswordchecksyntax: onpasswordminlength: 14passwordmincategories: 4passworddictcheck: on
_______________________________________________ 389-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to email@example.com Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://firstname.lastname@example.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure-- Directory Server Development Team
-- Directory Server Development Team