I have a password applied globally like this:
dn: cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc= my,dc=domain passwordLockout: off passwordGraceLimit: 50 passwordWarning: 86400 passwordInHistory: 3 passwordMinLength: 8 passwordMinCategories: 3 passwordStorageScheme: SSHA512 passwordChange: on passwordMaxAge: 31536000 passwordCheckSyntax: on passwordExp: on objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,DC=my,DC=domain
In a sub OU, I have this policy:
# cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3 Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\ 2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain passwordLockout: off passwordGraceLimit: 50 passwordStorageScheme: SSHA passwordChange: on passwordMaxAge: 31536000 passwordCheckSyntax: off passwordExp: off objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain
But when I try to add a prehashed password on this sub OU, I see this kind of error: LDAP: error code 19 - invalid password syntax - passwords with storage scheme are not allowed
Is this an expected behavior even if in sub OU I have an password policy with passwordCheckSyntax set to off? If so, do I have any way to disable this behavior? (but I can not disable my global password policy)
PS: The password policy is respecting the fact of passwordCheckSyntax is set to off when I try to add a simple password like '1234'.
Hi Alberto,
Only Directory Manager or a Password Admin can add pre-hashed passwords. It has nothing to do with password policy settings. For more on password admins see:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
HTH,
Mark
On 09/26/2018 02:31 PM, Alberto Viana wrote:
I have a password applied globally like this:
dn: cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc= my,dc=domain passwordLockout: off passwordGraceLimit: 50 passwordWarning: 86400 passwordInHistory: 3 passwordMinLength: 8 passwordMinCategories: 3 passwordStorageScheme: SSHA512 passwordChange: on passwordMaxAge: 31536000 passwordCheckSyntax: on passwordExp: on objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,DC=my,DC=domain
In a sub OU, I have this policy:
# cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3 Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\ 2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain passwordLockout: off passwordGraceLimit: 50 passwordStorageScheme: SSHA passwordChange: on passwordMaxAge: 31536000 passwordCheckSyntax: off passwordExp: off objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain
But when I try to add a prehashed password on this sub OU, I see this kind of error: LDAP: error code 19 - invalid password syntax - passwords with storage scheme are not allowed
Is this an expected behavior even if in sub OU I have an password policy with passwordCheckSyntax set to off? If so, do I have any way to disable this behavior? (but I can not disable my global password policy)
PS: The password policy is respecting the fact of passwordCheckSyntax is set to off when I try to add a simple password like '1234'.
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Hi Mark,
I already have this configuration but stopped to working after I enabled my password policy. Another thing is the error changed, its not the same when was missing prehashed config and my password was set to off.
On Wed, Sep 26, 2018, 16:47 Mark Reynolds mreynolds@redhat.com wrote:
Hi Alberto,
Only Directory Manager or a Password Admin can add pre-hashed passwords. It has nothing to do with password policy settings. For more on password admins see:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
HTH,
Mark
On 09/26/2018 02:31 PM, Alberto Viana wrote:
I have a password applied globally like this:
dn: cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc= my,dc=domain passwordLockout: off passwordGraceLimit: 50 passwordWarning: 86400 passwordInHistory: 3 passwordMinLength: 8 passwordMinCategories: 3 passwordStorageScheme: SSHA512 passwordChange: on passwordMaxAge: 31536000 passwordCheckSyntax: on passwordExp: on objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,DC=my,DC=domain
In a sub OU, I have this policy:
# cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3 Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\
2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain passwordLockout: off passwordGraceLimit: 50 passwordStorageScheme: SSHA passwordChange: on passwordMaxAge: 31536000 passwordCheckSyntax: off passwordExp: off objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain
But when I try to add a prehashed password on this sub OU, I see this kind of error: LDAP: error code 19 - invalid password syntax - passwords with storage scheme are not allowed
Is this an expected behavior even if in sub OU I have an password policy with passwordCheckSyntax set to off? If so, do I have any way to disable this behavior? (but I can not disable my global password policy)
PS: The password policy is respecting the fact of passwordCheckSyntax is set to off when I try to add a simple password like '1234'.
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On 09/26/2018 03:51 PM, Alberto Viana wrote:
Hi Mark,
I already have this configuration but stopped to working after I enabled my password policy. Another thing is the error changed, its not the same when was missing prehashed config and my password was set to off.
When you turn syntax checking on then Password Admin functionally breaks, correct? If so, it sounds like a bug then. Please file a ticket with the exact steps to reproduce the problem.
https://pagure.io/389-ds-base/new_issue
Thanks, Mark
On Wed, Sep 26, 2018, 16:47 Mark Reynolds <mreynolds@redhat.com mailto:mreynolds@redhat.com> wrote:
Hi Alberto, Only Directory Manager or a Password Admin can add pre-hashed passwords. It has nothing to do with password policy settings. For more on password admins see: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/password_administrators HTH, Mark On 09/26/2018 02:31 PM, Alberto Viana wrote:
I have a password applied globally like this: dn: cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc= my,dc=domain passwordLockout: off passwordGraceLimit: 50 passwordWarning: 86400 passwordInHistory: 3 passwordMinLength: 8 passwordMinCategories: 3 passwordStorageScheme: SSHA512 passwordChange: on passwordMaxAge: 31536000 passwordCheckSyntax: on passwordExp: on objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,DC=my,DC=domain In a sub OU, I have this policy: # cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3 Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\ 2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain passwordLockout: off passwordGraceLimit: 50 passwordStorageScheme: SSHA passwordChange: on passwordMaxAge: 31536000 passwordCheckSyntax: off passwordExp: off objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain But when I try to add a prehashed password on this sub OU, I see this kind of error: LDAP: error code 19 - invalid password syntax - passwords with storage scheme are not allowed Is this an expected behavior even if in sub OU I have an password policy with passwordCheckSyntax set to off? If so, do I have any way to disable this behavior? (but I can not disable my global password policy) PS: The password policy is respecting the fact of passwordCheckSyntax is set to off when I try to add a simple password like '1234'. _______________________________________________ 389-users mailing list --389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> To unsubscribe send an email to389-users-leave@lists.fedoraproject.org <mailto:389-users-leave@lists.fedoraproject.org> Fedora Code of Conduct:https://getfedora.org/code-of-conduct.html List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On 09/26/2018 04:15 PM, Mark Reynolds wrote:
On 09/26/2018 03:51 PM, Alberto Viana wrote:
Hi Mark,
I already have this configuration but stopped to working after I enabled my password policy. Another thing is the error changed, its not the same when was missing prehashed config and my password was set to off.
When you turn syntax checking on then Password Admin functionally breaks, correct? If so, it sounds like a bug then. Please file a ticket with the exact steps to reproduce the problem.
Actually I think you need to set (again) psswordAdminDN in each subtree policy. Please try this and let me know if it works.
Thanks, Mark
https://pagure.io/389-ds-base/new_issue
Thanks, Mark
On Wed, Sep 26, 2018, 16:47 Mark Reynolds <mreynolds@redhat.com mailto:mreynolds@redhat.com> wrote:
Hi Alberto, Only Directory Manager or a Password Admin can add pre-hashed passwords. It has nothing to do with password policy settings. For more on password admins see: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/password_administrators HTH, Mark On 09/26/2018 02:31 PM, Alberto Viana wrote:
I have a password applied globally like this: dn: cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc= my,dc=domain passwordLockout: off passwordGraceLimit: 50 passwordWarning: 86400 passwordInHistory: 3 passwordMinLength: 8 passwordMinCategories: 3 passwordStorageScheme: SSHA512 passwordChange: on passwordMaxAge: 31536000 passwordCheckSyntax: on passwordExp: on objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,DC=my,DC=domain In a sub OU, I have this policy: # cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3 Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\ 2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain passwordLockout: off passwordGraceLimit: 50 passwordStorageScheme: SSHA passwordChange: on passwordMaxAge: 31536000 passwordCheckSyntax: off passwordExp: off objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain But when I try to add a prehashed password on this sub OU, I see this kind of error: LDAP: error code 19 - invalid password syntax - passwords with storage scheme are not allowed Is this an expected behavior even if in sub OU I have an password policy with passwordCheckSyntax set to off? If so, do I have any way to disable this behavior? (but I can not disable my global password policy) PS: The password policy is respecting the fact of passwordCheckSyntax is set to off when I try to add a simple password like '1234'. _______________________________________________ 389-users mailing list --389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> To unsubscribe send an email to389-users-leave@lists.fedoraproject.org <mailto:389-users-leave@lists.fedoraproject.org> Fedora Code of Conduct:https://getfedora.org/code-of-conduct.html List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
389-users mailing list --389-users@lists.fedoraproject.org To unsubscribe send an email to389-users-leave@lists.fedoraproject.org Fedora Code of Conduct:https://getfedora.org/code-of-conduct.html List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
I saw that in the Doc, it now working fine.
Thanks a lot.
On Thu, Sep 27, 2018 at 12:18 PM Mark Reynolds mreynolds@redhat.com wrote:
On 09/26/2018 04:15 PM, Mark Reynolds wrote:
On 09/26/2018 03:51 PM, Alberto Viana wrote:
Hi Mark,
I already have this configuration but stopped to working after I enabled my password policy. Another thing is the error changed, its not the same when was missing prehashed config and my password was set to off.
When you turn syntax checking on then Password Admin functionally breaks, correct? If so, it sounds like a bug then. Please file a ticket with the exact steps to reproduce the problem.
Actually I think you need to set (again) psswordAdminDN in each subtree policy. Please try this and let me know if it works.
Thanks, Mark
https://pagure.io/389-ds-base/new_issue
Thanks, Mark
On Wed, Sep 26, 2018, 16:47 Mark Reynolds mreynolds@redhat.com wrote:
Hi Alberto,
Only Directory Manager or a Password Admin can add pre-hashed passwords. It has nothing to do with password policy settings. For more on password admins see:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
HTH,
Mark
On 09/26/2018 02:31 PM, Alberto Viana wrote:
I have a password applied globally like this:
dn: cn=cn\3DnsPwPolicyEntry\2CDC\3Dmy\2CDC\3Ddomain,cn=nsPwPolicyContainer,dc= my,dc=domain passwordLockout: off passwordGraceLimit: 50 passwordWarning: 86400 passwordInHistory: 3 passwordMinLength: 8 passwordMinCategories: 3 passwordStorageScheme: SSHA512 passwordChange: on passwordMaxAge: 31536000 passwordCheckSyntax: on passwordExp: on objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,DC=my,DC=domain
In a sub OU, I have this policy:
# cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\2Cdc\3 Ddomain, nsPwPolicyContainer, POPS, EXTERNOS, my, my.domain dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPOPS\2COU\3DEXTERNOS\2Cou\3Dmy\2Cdc\3Dmy\
2Cdc\3Ddomain,cn=nsPwPolicyContainer,ou=POPS,OU=EXTERNOS,ou=my,dc=my,dc=domain passwordLockout: off passwordGraceLimit: 50 passwordStorageScheme: SSHA passwordChange: on passwordMaxAge: 31536000 passwordCheckSyntax: off passwordExp: off objectClass: top objectClass: ldapsubentry objectClass: passwordpolicy cn: cn=nsPwPolicyEntry,ou=POPS,OU=EXTERNOS,dc=my,dc=domain
But when I try to add a prehashed password on this sub OU, I see this kind of error: LDAP: error code 19 - invalid password syntax - passwords with storage scheme are not allowed
Is this an expected behavior even if in sub OU I have an password policy with passwordCheckSyntax set to off? If so, do I have any way to disable this behavior? (but I can not disable my global password policy)
PS: The password policy is respecting the fact of passwordCheckSyntax is set to off when I try to add a simple password like '1234'.
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users@lists.fedoraproject.org