Wednesday, September 26, 2018

[389-users] Re: password policy



On 09/26/2018 03:51 PM, Alberto Viana wrote:
Hi Mark,

I already have this configuration but stopped to working after I enabled my password policy. Another thing is the error changed, its not the same when was missing prehashed config and my password was set to off.

When you turn syntax checking on then Password Admin functionally breaks, correct?  If so, it sounds like a bug then.  Please file a ticket with the exact steps to reproduce the problem.

https://pagure.io/389-ds-base/new_issue

Thanks,
Mark

On Wed, Sep 26, 2018, 16:47 Mark Reynolds <mreynolds@redhat.com> wrote:

Hi Alberto,

Only Directory Manager or a Password Admin can add pre-hashed passwords.  It has nothing to do with password policy settings.  For more on password admins see:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/password_administrators

HTH,

Mark


On 09/26/2018 02:31 PM, Alberto Viana wrote:
I have a password applied  globally like this:

dn: cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc=
 my,dc=domain
passwordLockout: off
passwordGraceLimit: 50
passwordWarning: 86400
passwordInHistory: 3
passwordMinLength: 8
passwordMinCategories: 3
passwordStorageScheme: SSHA512
passwordChange: on
passwordMaxAge: 31536000
passwordCheckSyntax: on
passwordExp: on
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,DC=my,DC=domain

In a sub OU, I have this policy:

# cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3
 Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain
dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\
 2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain
passwordLockout: off
passwordGraceLimit: 50
passwordStorageScheme: SSHA
passwordChange: on
passwordMaxAge: 31536000
passwordCheckSyntax: off
passwordExp: off
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain

But when I try to add a prehashed password on this sub OU, I see this kind of error:
LDAP: error code 19 - invalid password syntax - passwords with storage scheme are not allowed

Is this an expected behavior even if in sub OU I have an password policy with passwordCheckSyntax set to off? If so, do I have any way to disable this behavior? (but I can not disable my global password policy)

PS: The password policy is respecting the fact of passwordCheckSyntax is set to off when I try to add a simple password like '1234'.
 


_______________________________________________  389-users mailing list -- 389-users@lists.fedoraproject.org  To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org  Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html  List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org  



_______________________________________________  389-users mailing list -- 389-users@lists.fedoraproject.org  To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org  Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html  List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org  

No comments:

Post a Comment