Sunday, October 11, 2020

[389-users] Password policy applicable to bind?

Hi,

I'm looking at applying local password policy to our existing users.
Reading the Red Hat Directory Server Deployment Guide, I see the
paragraphs below[1].

If I'm reading this correctly, it would appear that users will no
longer be able to bind to the directory server after application of the
policy if their existing password doesn't meet the policy we apply. Is
this true? If so, is there a way to prevent this, and only apply the
policy on password modify operations?

Thanks.
Grant


[1] "When a user attempts to bind to the directory, Directory Server
determines whether a local policy has been defined and enabled for the
user's entry.

To determine whether the fine-grained password policy is enabled,
the server checks the value (on or off) assigned to the nsslapd-
pwpolicy-local attribute of the cn=config entry. If the value is off,
the server ignores the policies defined at the subtree and user levels
and enforces the global password policy.
To determine whether a local policy is defined for a subtree or
user, the server checks for the pwdPolicysubentry attribute in the
corresponding user entry. If the attribute is present, the server
enforces the local password policy configured for the user. If the
attribute is absent, the server logs an error message and enforces the
global password policy.

The server then compares the user-supplied password with the value
specified in the user's directory entry to make sure they match. The
server also uses the rules defined by the password policy to ensure
that the password is valid before allowing the user to bind to the
directory. "
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

No comments:

Post a Comment