Monday, September 20, 2021

[389-users] Re: ns-newpolicy/pl documentation/use case


On 9/20/21 6:36 PM, Ghiurea, Isabella wrote:

 

 

From: Ghiurea, Isabella
Sent: September 20, 2021 3:32 PM
To: 'Mark Reynolds' <mreynolds@redhat.com>; General discussion list for the 389 Directory server project. <389-users@lists.fedoraproject.org>
Subject: RE: [389-users] ns-newpolicy/pl documentation/use case

 

I cfg the DS  see the dse,ldif,  next reboot the server and update a user passwd with  ldappasswd, I am not able to see  passwordTrackUpdateTime in user entry.

 

nsslapd-pwpolicy-inherit-global: on

nsslapd-pwpolicy-local: on

passwordTrackUpdateTime: on

 

running 389-ds-base-1.3.9

 

I tried with nsslapd-pwpolicy-local: off and

nsslapd-pwpolicy-inherit-global: on and

passwordTrackUpdateTime: on

and still same result.

Please , what I am missing from this cfg ?

I have no idea, all I did was set passwordTrackUpdateTime to on, and then I changed a user's password.  That is it.  No other configuration changes are needed.  After that I saw this in the audit log:

    dn: uid=demo_user,ou=people,dc=example,dc=com
    changetype: modify
    replace: pwdUpdateTime
    pwdUpdateTime: 20210920205730Z

Now pwdUpdateTime is an operational attribute, so if you want to confirm it was written by doing a search, then the search must request that attribute (or else it is not returned to the client):

# ldapsearch -D "..." -W -b dc=example,dc=com uid=demo_user pwdUpdateTime

Mark

Thank you!

 

 

From: Mark Reynolds [mailto:mreynolds@redhat.com]
Sent: September 20, 2021 2:00 PM
To: Ghiurea, Isabella <Isabella.Ghiurea@nrc-cnrc.gc.ca>; General discussion list for the 389 Directory server project. <389-users@lists.fedoraproject.org>
Subject: Re: [389-users] ns-newpolicy/pl documentation/use case

 

***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC

 

On 9/20/21 11:32 AM, Ghiurea, Isabella wrote:

Thank you, so the steps to have this  attribute cfg  and  with set value for each user  are :

 

1.       In DS cfg add attriute PasswordTrackUpddateTime to on, nsslapd-policy-local to on and nsslapd-pwpolicy-inherit –global to on

2.       Have users chage their passwd

3.       The uid entries wtill display the new attribute :PasswordTrackUpdateTime with time stamp value

Is this sufficient  to have this attribute populate for each DS entry ?

 

Do I  still need to run this ns-newpolicy.pl script ?

Do you really need a local subtree policy?  If the password policy you want to use will apply to all your users then you can simplify all of this.  Just set passwordTrackUpdateTime to "on".  That's it. 

If affirmative, I would like to learn when and what arguments must provide at run time ?

Sorry, I'm not sure what you are asking here...

Mark

 

Isabella

4.        

 

From: Mark Reynolds [mailto:mreynolds@redhat.com]
Sent: September 20, 2021 6:01 AM
To: General discussion list for the 389 Directory server project. <389-users@lists.fedoraproject.org>; Ghiurea, Isabella <Isabella.Ghiurea@nrc-cnrc.gc.ca>
Subject: Re: [389-users] ns-newpolicy/pl documentation/use case

 

***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC

 

On 9/17/21 4:46 PM, Ghiurea, Isabella wrote:

Hi List

I am searching for  some  documentation  for ns-newpolicy.pl file , as per RH Doc I can  use that script to add the attribute : pwdUpdateTime to each uid  entry after I  already cfg in  DS  Password TrackUpdateTime and  pwdpolicy-  inherit -global  to 'on';

The only docs we have are the official Red Hat docs.  Here's a recap...

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-passwordTrackUpdateTime

This will start to add "pwdUpdateTime" to entries after they change their passwords, but it does not automatically add it to all existing entries.  They must change their passwords after enabling this setting for pwdUpdateTime to be set.

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-nsslapd_pwpolicy_inherit_global_Inherit_Global_Password_Policy

This setting is only used if you are using local password policies (subtree/user policies). It means it will check the global policy settings AND the local policy settings.  Otherwise only the local policy is applied.

HTH,
Mark

Thank you

Isabella



_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- 
Directory Server Development Team
-- 
Directory Server Development Team
--   Directory Server Development Team

No comments:

Post a Comment