Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   Local Password Policy Replicated? (http://www.linux-archive.org/fedora-directory/432289-local-password-policy-replicated.html)

Gerrard Geldenhuis 09-27-2010 02:11 PM

Local Password Policy Replicated?
 
Hi
The documentation is not very clear on this...
13.1.5 in the latest Admin Guide mentions how password policy is treated in a replicated environment but it does not distinguish or confirm that the behaviour for global and local password policies is treated in the same way with regards to replication.

Does local password policy settings get replicated?
I would assume yes because it is writes:

dn: cn=cn=nsPwPolicyEntry,uid=jdoe,ou=people,dc=exampl e,dc=com,
cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: ldapsubentry
objectclass: passwordpolicy

according to the documentation.

( after typing this email I am doubting my assumption )

Can I thus change password policy for a subtree only once or should I be changing it on all servers regardless?

The reason that prompted me for this question is that I am using a "autheticator" user to bind to ldap rather than bind anonymous. This user is in my company tree and also falls under the global password policy which it should not. If someone with malicious intent wanted to break the system they could just use that user with the wrong password 5 times to lock the account. That is an obvious flaw which is why I need to change password policy for this users and/or group of users.

Best Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 09-27-2010 02:37 PM

Local Password Policy Replicated?
 
Gerrard Geldenhuis wrote:
> Hi
> The documentation is not very clear on this...
> 13.1.5 in the latest Admin Guide mentions how password policy is treated in a replicated environment but it does not distinguish or confirm that the behaviour for global and local password policies is treated in the same way with regards to replication.
>
> Does local password policy settings get replicated?
> I would assume yes because it is writes:
>
> dn: cn=cn=nsPwPolicyEntry,uid=jdoe,ou=people,dc=exampl e,dc=com,
> cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
> objectclass: top
> objectclass: extensibleObject
> objectclass: ldapsubentry
> objectclass: passwordpolicy
>
> according to the documentation.
>
> ( after typing this email I am doubting my assumption )
>
> Can I thus change password policy for a subtree only once or should I be changing it on all servers regardless?
>
Yes, but you also have to separately activate global password policy on
each server:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#User_Account_Manageme nt-Managing_the_Password_Policy
You must "Enable Fine Grained Password Policy" on every server.
> The reason that prompted me for this question is that I am using a "autheticator" user to bind to ldap rather than bind anonymous. This user is in my company tree and also falls under the global password policy which it should not. If someone with malicious intent wanted to break the system they could just use that user with the wrong password 5 times to lock the account. That is an obvious flaw which is why I need to change password policy for this users and/or group of users.
>
> Best Regards
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Gerrard Geldenhuis 09-27-2010 03:03 PM

Local Password Policy Replicated?
 
>>
>> Does local password policy settings get replicated?
>> I would assume yes because it is writes:
>>
>> dn: cn=cn=nsPwPolicyEntry,uid=jdoe,ou=people,dc=exampl e,dc=com,
>> cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
>> objectclass: top
>> objectclass: extensibleObject
>> objectclass: ldapsubentry
>> objectclass: passwordpolicy
>>
>> according to the documentation.
>>
>> ( after typing this email I am doubting my assumption )
>>
>> Can I thus change password policy for a subtree only once or should I be changing it on all servers regardless?
>>
>Yes, but you also have to separately activate global password policy on
>each server:
>http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#User_Account_Manageme nt->Managing_the_Password_Policy
>You must "Enable Fine Grained Password Policy" on every server.

Ok, excellent so it does get replicated if it is local but not if it is global.

I was aware that I have to set it manually on a global level which is why I asked the question. It is a bit confusing that local password policies will get replicated but not global passwor policies. I will raise an enhancement request in bugzilla to make sure that this distinction is added to the documentation.

On a related note,.. the documentation mentions that there is a bug:
13.1.1.5. Manually Setting Default Password Syntax Checking for Local Password Policies
<cut>
However, there is a bug in Directory Server, so that if a password policy attribute is set in the global password policy but not in the local password policy, then neither the global setting nor the default settings is enforced by the local password policy. To work around this, set the password attributes explicitly in the local password policy.

I am sure I saw a fixed bugzilla for it but going through the release notes https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0
I can't see any mention of this bug being fixed

Can you confirm that this is still a bug or has been resolved. If it has been resolved I will raise another bugzilla to remove this from the documentation.

Best Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 09-27-2010 03:36 PM

Local Password Policy Replicated?
 
Gerrard Geldenhuis wrote:
>>> Does local password policy settings get replicated?
>>> I would assume yes because it is writes:
>>>
>>> dn: cn=cn=nsPwPolicyEntry,uid=jdoe,ou=people,dc=exampl e,dc=com,
>>> cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
>>> objectclass: top
>>> objectclass: extensibleObject
>>> objectclass: ldapsubentry
>>> objectclass: passwordpolicy
>>>
>>> according to the documentation.
>>>
>>> ( after typing this email I am doubting my assumption )
>>>
>>> Can I thus change password policy for a subtree only once or should I be changing it on all servers regardless?
>>>
>>>
>> Yes, but you also have to separately activate global password policy on
>> each server:
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#User_Account_Manageme nt->Managing_the_Password_Policy
>> You must "Enable Fine Grained Password Policy" on every server.
>>
>
> Ok, excellent so it does get replicated if it is local but not if it is global.
>
Yes. cn=config settings are not replicated.
> I was aware that I have to set it manually on a global level which is why I asked the question. It is a bit confusing that local password policies will get replicated but not global passwor policies. I will raise an enhancement request in bugzilla to make sure that this distinction is added to the documentation.
>
> On a related note,.. the documentation mentions that there is a bug:
> 13.1.1.5. Manually Setting Default Password Syntax Checking for Local Password Policies
> <cut>
> However, there is a bug in Directory Server, so that if a password policy attribute is set in the global password policy but not in the local password policy, then neither the global setting nor the default settings is enforced by the local password policy. To work around this, set the password attributes explicitly in the local password policy.
>
> I am sure I saw a fixed bugzilla for it but going through the release notes https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0
> I can't see any mention of this bug being fixed
>
I'm not sure which bug you mean. You opened this bug which is related
but not the same: https://bugzilla.redhat.com/show_bug.cgi?id=627993

There is an old bug about the global/local default settings issue:
https://bugzilla.redhat.com/show_bug.cgi?id=190862
> Can you confirm that this is still a bug or has been resolved. If it has been resolved I will raise another bugzilla to remove this from the documentation.
>
> Best Regards
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Gerrard Geldenhuis 09-27-2010 04:01 PM

Local Password Policy Replicated?
 
>> On a related note,.. the documentation mentions that there is a bug:
>> 13.1.1.5. Manually Setting Default Password Syntax Checking for Local Password Policies
>> <cut>
>> However, there is a bug in Directory Server, so that if a password policy attribute is set in the global password policy but not in the local password policy, then neither the global >setting nor the default settings is enforced by the local password policy. To work around this, set the password attributes explicitly in the local password policy.
>>
>> I am sure I saw a fixed bugzilla for it but going through the release notes https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0
>> I can't see any mention of this bug being fixed
>
>I'm not sure which bug you mean. You opened this bug which is related
>but not the same: https://bugzilla.redhat.com/show_bug.cgi?id=627993
>
>There is an old bug about the global/local default settings issue:
>https://bugzilla.redhat.com/show_bug.cgi?id=190862

I was referring to the bug that the documentation is referring. The documentation does not mention a specific bug number. It does seem to be the https://bugzilla.redhat.com/show_bug.cgi?id=190862 bug.

>> Can you confirm that this is still a bug or has been resolved. If it has been resolved I will raise another bugzilla to remove this from the documentation.
>>

It appears to be not yet resolved then.

Thanks

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 10:49 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.