Hi Eugen,
if I understood correctly, the customer already has Password Policy set up
for common users which should not be able to change the password after the
expiration.
And the customer needs another policy for the special users which should be
able to change the password after expiration (or the expiration should be
disabled for them completely).
For that, the customer can configure Local Password Policy for the
particular subtree/user.
Please, check the section 20.4.2 here:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
Hope that helps,
Simon
On Wed, Sep 16, 2020 at 2:09 PM Eugen Lamers <eugen.lamers(a)br-automation.com>
wrote:
We have the following scenario:
We use a "global" password policy at cn=config where a customer of ours
defines:
passwordexp: on
passwordmaxage: 7776000
passwordwarning: 7344000
We provide as default configuration "passwordMustChage: on" to force a new
user to chage the initial password. In this setup a user whose password
expired, i.e. also after this user is created and needs to change its
initial password, cannot login to the account, but he can change the
password.
The customer now wants a setup which prevents a user whose password
expired from changing the password. A plugin "Account Policy Plugin" can
therefore be activated by the customer, which uses the following
configuration:
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: config
alwaysrecordlogin: yes
stateAttrName: non_existent_attribute
altStateAttrName: passwordExpirationTime
specattrname: acctPolicySubentry
limitattrname: accountInactivityLimit
As a consequence, the initial password change does not work anymore, thus
the customer must change to "passwordMustChange: off". This would probably
be acceptable.
A problem is, however, that a user account which has its own user password
policy with "passwordexp: off" and "passwordmustchange: off" is
affected by
the plugin in such a way that the attribute passwordExpirationTime of the
user itself is evaluated and the attribute passwordexp of the user password
policy is ignored. That means, a user password policy for special user
accounts without password expiration cannot be used in combination with the
Account Policy Plugin.
Can the plugin be configured to enable this possiblity or is there another
way to achieve the desired behaviour?
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...