Friday, September 10, 2021

[389-users] Re: global passwd policy for DS with existing users

·        Thank you Mark,

·         I am considering  the  DS global password Policy with  the configuration to have the users  “must” change their passwords according to a schedule.

·        Since there are already 6K users in DS  with  no password policy in place I am thinking for start we shall  force and update each uid userPassword attribute ( running a script in DS),

·        and next step  configure the DS for global password policy with  the new attributes in place ( which specific attributes you suggest?)

·        and the last step when the users are trying to logging they must change their passw since their old passwd was removed already.

·         How is this  design option sounds ?

·          I assume  for the  new passwd  policy  the following attributes will need to be configured : passwordExp - , passwordMaxAge , passwordWarning ,passwordMustChange passwordGracelimit – is this correct ?


·         The two DSs  are configured in multimaster replication  and  another  DS acting as slave cfg   in master to slave ( only reads  accepted) , from what I read will need to configure each  of the master DS   with  same Password Policy correct ?

·         How about the slave DS any configuration changes  and which ones ?

·        Thank you

·        Isabella



From: Mark Reynolds []
Sent: September 10, 2021 12:38 PM
To: General discussion list for the 389 Directory server project. <>; Ghiurea, Isabella <>
Subject: Re: [389-users] global passwd policy for DS with existing users


***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC


On 9/10/21 1:46 PM, Ghiurea, Isabella wrote:

Hi List,

I need your expertise  , I am looking to configure global  password policy for an existing DS  with  aprox 7 k users, at present we are using only the userPassword attribute  , no extra password plugins or  attributes are  enabled , the DS is running

What is the  less intrusive  solution to implement  a  global Password Policy  and cfg  attributes  for all   existing user accounts  without sending each user emails notification to reset their password ?  I  understand the Password Policy will take effect  only after the users passwords  are  reset , is this correct ?


You are not being specific about what password policy you want to implement, there are countless variations.  Some require the password to be reset to start working, others do not.  So please let us know exactly what you want to implement from password policy so we can answer your questions.  For example there is password history, password expiration, password warning, grace periods, syntax checking, account lockout, etc. Each one has its own behavior and configuration.

If you are not sure what you want to implement then I recommend looking over the admin guide to see more details on the password policy options:



389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam on the list, report it:
Directory Server Development Team

No comments:

Post a Comment