From: Ghiurea, Isabella
Sent: September 20, 2021 3:32 PM
To: 'Mark Reynolds' <mreynolds@redhat.com>; General discussion list for the 389 Directory server project. <389-users@lists.fedoraproject.org>
Subject: RE: [389-users] ns-newpolicy/pl documentation/use case
I cfg the DS see the dse,ldif, next reboot the server and update a user passwd with ldappasswd, I am not able to see passwordTrackUpdateTime in user entry.
nsslapd-pwpolicy-inherit-global: on
nsslapd-pwpolicy-local: on
passwordTrackUpdateTime: on
running 389-ds-base-1.3.9
I tried with nsslapd-pwpolicy-local: off and
nsslapd-pwpolicy-inherit-global: on and
passwordTrackUpdateTime: on
and still same result.
Please , what I am missing from this cfg ?
Thank you!
From: Mark Reynolds [mailto:mreynolds@redhat.com]
Sent: September 20, 2021 2:00 PM
To: Ghiurea, Isabella <Isabella.Ghiurea@nrc-cnrc.gc.ca>; General discussion list for the 389 Directory server project. <389-users@lists.fedoraproject.org>
Subject: Re: [389-users] ns-newpolicy/pl documentation/use case
***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC
On 9/20/21 11:32 AM, Ghiurea, Isabella wrote:
Thank you, so the steps to have this attribute cfg and with set value for each user are :
1. In DS cfg add attriute PasswordTrackUpddateTime to on, nsslapd-policy-local to on and nsslapd-pwpolicy-inherit –global to on
2. Have users chage their passwd
3. The uid entries wtill display the new attribute :PasswordTrackUpdateTime with time stamp value
Is this sufficient to have this attribute populate for each DS entry ?
Do I still need to run this ns-newpolicy.pl script ?
Do you really need a local subtree policy? If the password policy you want to use will apply to all your users then you can simplify all of this. Just set passwordTrackUpdateTime to "on". That's it.
If affirmative, I would like to learn when and what arguments must provide at run time ?
Sorry, I'm not sure what you are asking here...
Mark
Isabella
4.
From: Mark Reynolds [mailto:mreynolds@redhat.com]
Sent: September 20, 2021 6:01 AM
To: General discussion list for the 389 Directory server project. <389-users@lists.fedoraproject.org>; Ghiurea, Isabella <Isabella.Ghiurea@nrc-cnrc.gc.ca>
Subject: Re: [389-users] ns-newpolicy/pl documentation/use case
***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC
On 9/17/21 4:46 PM, Ghiurea, Isabella wrote:
Hi List
I am searching for some documentation for ns-newpolicy.pl file , as per RH Doc I can use that script to add the attribute : pwdUpdateTime to each uid entry after I already cfg in DS Password TrackUpdateTime and pwdpolicy- inherit -global to ‘on’;
The only docs we have are the official Red Hat docs. Here's a recap...
This will start to add "pwdUpdateTime" to entries after they change their passwords, but it does not automatically add it to all existing entries. They must change their passwords after enabling this setting for pwdUpdateTime to be set.
This setting is only used if you are using local password policies (subtree/user policies). It means it will check the global policy settings AND the local policy settings. Otherwise only the local policy is applied.
HTH,
MarkThank you
Isabella
_______________________________________________389-users mailing list -- 389-users@lists.fedoraproject.orgTo unsubscribe send an email to 389-users-leave@lists.fedoraproject.orgFedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.orgDo not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure--Directory Server Development Team
--
Directory Server Development Team
No comments:
Post a Comment