For some reason, you have 'nsslapd-pwpolicy-local: off'.
If this attribute has a value of off, all entries (except for cn=Directory Manager) in the directory are subjected to the global password policy; the server ignores any defined subtree/user level password policy.
If this attribute has a value of on, the server checks for password policies at the subtree- and user-level and enforces those policies.
Could you please enable it and try to test your issue again?
Hope that helps,
On Tue, Nov 16, 2021 at 6:37 AM Brian Collins <email@example.com> wrote:
Sure thing, Simon. I believe the queries I did below gave me what
you're requested. Please let me know if you need more information.
# dsconf -y dirman.txt -D "cn=Directory Manager" pro02 pwpolicy get
Global Password Policy: cn=config
# dsconf -y ~/dirman.txt -D "cn=Directory Manager" pro02 localpwp get
Local User Policy Policy for "ou=People,dc=example,dc=com":
passwordadmindn: cn=siteops sa,ou=sa groups,dc=example,dc=com
On Tue, Nov 16, 2021 at 12:36 AM Simon Pichugin <firstname.lastname@example.org> wrote:
> Hi Brian,
> could you please provide your full Password Policy setup (but global and local, entries and attributes)?
> Please, check this chapter for the details:
> On Mon, Nov 15, 2021 at 8:37 AM Brian Collins <email@example.com> wrote:
>> Good day all.
>> We recently updated our 389-ds infrastructure from 126.96.36.199 on RHEL 7
>> to 188.8.131.52, installed via epel-modular, on RHEL 8.
>> Since that time, it appears that our local password policy setting of
>> "pwdmustchange" is not working. If I apply a global policy, it does
>> seem to work, but we prefer to keep it as a local policy applied to a
>> subtree (ou=People,dc=example,dc=com).
>> # dsconf -y ~/dirman.txt -D "cn=Directory Manager" pro02 localpwp get
>> Local User Policy Policy for "ou=People,dc=example,dc=com":
>> passwordstoragescheme: ssha512
>> passwordchange: on
>> passwordmustchange: on
>> passwordhistory: off
>> passwordadmindn: cn=siteops sa,ou=sa groups,dc=example,dc=com
>> passwordexp: off
>> passwordminage: 0
>> With the above settings, but the global policy for passwordmustchange
>> set to "off", an administratively-changed password (done by Directory
>> Manager) does not require a change on first login. If I change the
>> global policy to on and reset the user's password again, it does
>> require a change.
>> Again, time-wise, this seems to have begun with our move from 1.3 to
>> 1.4. To do the upgrade, we introduced 1.4 servers then created
>> replication agreements with them. Then we removed the 1.3 servers (I
>> hope that was the right way to do it; didn't think much about it at
>> the time).
>> It would not surprise me if I am doing (or have done) something wrong
>> here, but I'm unable to pinpoint what.
>> Thank you in advance,
>> 389-users mailing list -- firstname.lastname@example.org
>> To unsubscribe send an email to email@example.com
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://firstname.lastname@example.org
>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure