389ds'ers,
I'm struggling to find the best way to apply a password policy only to members of a group, the rest having either the global or user/local policy. I have a number of users whose password should never expire , but those users live in different OU's, dont even share a parent branch. Do you think a CoS might help? Which do you think would be the best way to implement this?
Thanks!
Juan Carlos,
Yes, CoS can help. I had a similar problem and resolved it by using roles and CoS. More precisely, I used a filtered role and then assigned the same password policy to all role members (belonging to different groups) by using so called classic type CoS.
However, I had to assign the password policy by command line not through 389 console.
Role dn may be something like this: dn: cn=roleName,ou=people,dc=example,dc=com cn: roleName nsrolefilter: ou=UniquePolicyRole objectclass: top objectclass: ldapsubentry objectclass: nsroledefinition objectclass: nscomplexroledefinition objectclass: nsfilteredroledefinition
So when an entry matches the role filter criteria it gets nsRole attribute that has a value of a kind : cn=roleName,ou=people,dc=example,dc=com…
Classic CoS implementation looks a bit tricky: CoS definiton entry:
dn: CoSDefinitionRDN,ou=people,dc=example,dc=com cosspecifier: nsRole cosTemplateDN: CoSDefinitionRDN,ou=people,dc=example,dc=com cosattribute: pwdPolicySubentry default operational-default objectclass: top objectclass: ldapsubentry objectclass: cossuperdefinition objectclass: cosClassicDefinition
CoS template entry: dn: CosTemplateRDN,CoSDefinitionRD,ou=people,dc=example,dc=com pwdpolicysubentry: PwdPolicyRDN,cn=PwdPolicies,ou=people,dc=example,dc=com cospriority: n // see more on CoS priorities. The purpose is to always have exactly one password policy i.e. pwdPolicySubentry attribute active, even if your entry is eligible for a few of // them. objectclass: top objectclass: costemplate objectclass: extensibleobject objectclass: ldapsubentry
As a result, an entry belonging to roleName role would have pwdpolicysubentry with a value of “dn:PwdPolicyRDN,cn=PwdPolicies,ou=people,dc=example,dc=com”
I hope this helps.
Jovan Jovan Vukotić • Senior Software Engineer • Ambit Treasury Management • SunGard • Banking • Bulevar Milutina Milankovića 136b, Belgrade, Serbia • tel: +381.11.6555-66-1 • jovan.vukotic@sungard.commailto:jovan.vukotic@sungard.com
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Juan Carlos Camargo Sent: Thursday, August 29, 2013 2:13 PM To: General discussion list for the 389 Directory server project. Subject: [389-users] Password policy applied to a group
389ds'ers,
I'm struggling to find the best way to apply a password policy only to members of a group, the rest having either the global or user/local policy. I have a number of users whose password should never expire , but those users live in different OU's, dont even share a parent branch. Do you think a CoS might help? Which do you think would be the best way to implement this?
Thanks!
-- [cid:image001.gif@01CEA4CA.13325DA0]
Juan Carlos Camargo Carrillo. @jcarloscamargo 957-211157 , 650932877
Jovan,
I've never used roles before, I'm still AD fashioned and cant see beyond groups and memberof. But I'm no beginner with CoS and I knew they would come in handy somehow.
Thanks so much for sharing that approach. It does help a lot, it solves the problem, it makes my day :)
Regards!
jC ----- Mensaje original -----
De: "Jovan VUKOTIC" Jovan.VUKOTIC@sungard.com Para: 389-users@lists.fedoraproject.org, juancarlos@eprinsa.es Enviados: Jueves, 29 de Agosto 2013 15:49:41 Asunto: RE: Password policy applied to a group
Juan Carlos,
Yes, CoS can help. I had a similar problem and resolved it by using roles and CoS. More precisely, I used a filtered role and then assigned the same password policy to all role members (belonging to different groups) by using so called classic type CoS.
However, I had to assign the password policy by command line not through 389 console.
Role dn may be something like this:
dn: cn= roleName, ou=people,dc=example,dc=com
cn: roleName
nsrolefilter: ou=UniquePolicyRole
objectclass: top
objectclass: ldapsubentry
objectclass: nsroledefinition
objectclass: nscomplexroledefinition
objectclass: nsfilteredroledefinition
So when an entry matches the role filter criteria it gets nsRole attribute that has a value of a kind : cn= roleName ,ou=people,dc=example,dc=com…
Classic CoS implementation looks a bit tricky:
CoS definiton entry:
dn: CoSDefinitionRDN ,ou=people,dc=example,dc=com
cosspecifier: nsRole
cosTemplateDN: CoSDefinitionRDN ,ou=people,dc=example,dc=com
cosattribute: pwdPolicySubentry default operational-default
objectclass: top
objectclass: ldapsubentry
objectclass: cossuperdefinition
objectclass: cosClassicDefinition
CoS template entry:
dn: CosTemplateRDN , CoSDefinitionRD, ou=people,dc=example,dc=com
pwdpolicysubentry: PwdPolicyRDN , cn=PwdPolicies ,ou=people,dc=example,dc=com
cospriority: n // see more on CoS priorities. The purpose is to always have exactly one password policy i.e. pwdPolicySubentry attribute active, even if your entry is eligible for a few of
// them.
objectclass: top
objectclass: costemplate
objectclass: extensibleobject
objectclass: ldapsubentry
As a result, an entry belonging to roleName role would have pwdpolicysubentry with a value of “dn: PwdPolicyRDN , cn=PwdPolicies ,ou=people,dc=example,dc=com”
I hope this helps.
Jovan
Jovan Vukotić • Senior Software Engineer • Ambit Treasury Management • SunGard • Banking • Bulevar Milutina Milankovića 136b, Belgrade, Serbia • tel: +381.11.6555-66-1 • jovan.vukotic@sungard.com
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Juan Carlos Camargo Sent: Thursday, August 29, 2013 2:13 PM To: General discussion list for the 389 Directory server project. Subject: [389-users] Password policy applied to a group
389ds'ers,
I'm struggling to find the best way to apply a password policy only to members of a group, the rest having either the global or user/local policy. I have a number of users whose password should never expire , but those users live in different OU's, dont even share a parent branch. Do you think a CoS might help? Which do you think would be the best way to implement this?
Thanks!
389-users@lists.fedoraproject.org