Gerrard Geldenhuis wrote: > Hi > The documentation is not very clear on this... > 13.1.5 in the latest Admin Guide mentions how password policy is treated in a > replicated environment but it does not distinguish or confirm that the > behaviour for global and local password policies is treated in the same way > with regards to replication. > > Does local password policy settings get replicated? > I would assume yes because it is writes: > > dn: cn=cn=nsPwPolicyEntry\,uid=jdoe\,ou=people\,dc=example\,dc=com, > cn=nsPwPolicyContainer,ou=people,dc=example,dc=com > objectclass: top > objectclass: extensibleObject > objectclass: ldapsubentry > objectclass: passwordpolicy > > according to the documentation. > > ( after typing this email I am doubting my assumption ) > > Can I thus change password policy for a subtree only once or should I be > changing it on all servers regardless? > Yes, but you also have to separately activate global password policy on each server: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#User_Account_Management-Managing_the_Password_Policy You must "Enable Fine Grained Password Policy" on every server. > The reason that prompted me for this question is that I am using a > "autheticator" user to bind to ldap rather than bind anonymous. This user is > in my company tree and also falls under the global password policy which it > should not. If someone with malicious intent wanted to break the system they > could just use that user with the wrong password 5 times to lock the account. > That is an obvious flaw which is why I need to change password policy for > this users and/or group of users. > > Best Regards > > ________________________________________________________________________ > In order to protect our email recipients, Betfair Group use SkyScan from > MessageLabs to scan all Incoming and Outgoing mail for viruses. > > ________________________________________________________________________ > -- > 389 users mailing list > 389-us...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users >
-- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
