https://bugs.openldap.org/show_bug.cgi?id=10199
Issue ID: 10199 Summary: pwdPolicySubentry set at user level Product: OpenLDAP Version: 2.4.59 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: kiruthiga_rajangam@comcast.com Target Milestone: ---
I have three distinct password policies, and I aim to apply one of them to a user group so that members of the group inherit the policy. However, when I set the pwdPolicySubentry attribute of the group, the members do not seem to inherit the policy automatically. Instead, each member must be individually assigned the pwdPolicySubentry attribute for the policy to take effect.
Is there something I'm overlooking in this process?
https://bugs.openldap.org/show_bug.cgi?id=10199
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- OpenLDAP 2.4.x is a historic unsupported release, issues with ppolicy (which had significant changes in the 2.5+ series) will not be investigated.
https://bugs.openldap.org/show_bug.cgi?id=10199
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Status|RESOLVED |VERIFIED
https://bugs.openldap.org/show_bug.cgi?id=10199
Kiruthiga kiruthiga_rajangam@comcast.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Version|2.4.59 |2.5.9
--- Comment #2 from Kiruthiga kiruthiga_rajangam@comcast.com --- I tried the same with 2.5.9 as well.
I create a new group and assign that group with a password policy. I add members to that new group by configuring the DN of the user as member.
When I do a ldap search for that particular user and search for the attribute pwdPolicySubentry, nothing is returned. I assume the user is tagged with a default policy.
I expect it to return the new policy thats added to the group, because the user is a member of that group.
https://bugs.openldap.org/show_bug.cgi?id=10199
Kiruthiga kiruthiga_rajangam@comcast.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|pwdPolicySubentry set at |pwdPolicySubentry set at |user level |group level is not taking | |any effect on the members | |part of that group
https://bugs.openldap.org/show_bug.cgi?id=10199
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to Kiruthiga from comment #2)
I tried the same with 2.5.9 as well.
Why? The current 2.5 release is 2.5.17.
In any case, your behavior expectations do not line up with the man page:
Every account that should be subject to password policy control should have a pwdPolicySubentry attribute containing the DN of a valid pwdPolicy entry, or they can simply use the configured default. In this way different users may be managed according to different policies.
See also the Admin guide:
https://www.openldap.org/doc/admin25/overlays.html#Password%20Policies
If you have further usage questions about ppolicy, I suggest you use the openldap-technical email list. You can subscribe at https://lists.openldap.org/
https://bugs.openldap.org/show_bug.cgi?id=10199
--- Comment #4 from Ondřej Kuzník ondra@mistotebe.net --- As Quanah pointed out, there is nothing in the ppolicy documentation that would suggest what you're doing should have any effect. The closest is the new "policy rules" feature introduced in ITS#9343 (present in 2.7 which is yet to be released).
-
openldap-its@openldap.org