Wednesday, September 26, 2018

[389-users] Re: password policy

Hi Alberto,

Only Directory Manager or a Password Admin can add pre-hashed passwords.  It has nothing to do with password policy settings.  For more on password admins see:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/password_administrators

HTH,

Mark


On 09/26/2018 02:31 PM, Alberto Viana wrote:
I have a password applied  globally like this:

dn: cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc=
 my,dc=domain
passwordLockout: off
passwordGraceLimit: 50
passwordWarning: 86400
passwordInHistory: 3
passwordMinLength: 8
passwordMinCategories: 3
passwordStorageScheme: SSHA512
passwordChange: on
passwordMaxAge: 31536000
passwordCheckSyntax: on
passwordExp: on
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,DC=my,DC=domain

In a sub OU, I have this policy:

# cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3
 Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain
dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\
 2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain
passwordLockout: off
passwordGraceLimit: 50
passwordStorageScheme: SSHA
passwordChange: on
passwordMaxAge: 31536000
passwordCheckSyntax: off
passwordExp: off
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain

But when I try to add a prehashed password on this sub OU, I see this kind of error:
LDAP: error code 19 - invalid password syntax - passwords with storage scheme are not allowed

Is this an expected behavior even if in sub OU I have an password policy with passwordCheckSyntax set to off? If so, do I have any way to disable this behavior? (but I can not disable my global password policy)

PS: The password policy is respecting the fact of passwordCheckSyntax is set to off when I try to add a simple password like '1234'.
 


_______________________________________________  389-users mailing list -- 389-users@lists.fedoraproject.org  To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org  Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html  List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org  

No comments:

Post a Comment