Password policy through roles
Hi,
I have two password policies in my LDAP, mapped to the users through roles. One for active users and the other for inactive users. when i change the status from active to inactive, some times inactive password policy gets enabled, and some times it does not. The nsroles attribute in the user profile gets updated according to the role always, but the password policy subentry attribute is not getting updated sometimes.
Can Anyone help me on this.
Thanks in advance,
Navanidhi
This is probably a cache synchronization pb. Not something that I ever heard before though.
How quick do you check the password policy after changing the user status ?
Have you tried checking a minute or more after the change ?
Ludovic.
Similar Messages
-
Password Policy on Directory Server 11.1.1.7.2
Hi,
I'm trying to set up a password policy with DS 11.1.1.7.2 but it doesn't seem to be getting applied to the users. I went through the DSCC gui and created a new policy that is supposed to remember the last 3 passwords and also expire in a couple days just for test purposes. I then set the compatibility mode to Directory Server 6 and clicked on "Assign Policy" and selected ou=people,o=xxxxxx,o=isp where my test accounts are.
I've then tried using ldapmodify using the credentials to the accounts who's passwords I'm changing and it allows me to reuse the same passwords. I saw something about using a virtual attribute for assigning users to a policy. Is that required also?
dn: cn=TestPWpolicy1,o=xxxxxxx,o=isp
cn: TestPWpolicy1
objectclass: sunPwdPolicy
objectclass: pwdPolicy
objectclass: ldapsubentry
objectclass: top
passwordrootdnmaybypassmodschecks: on
passwordstoragescheme: CRYPT
pwdallowuserchange: true
pwdattribute: userPassword
pwdcheckquality: 2
pwdexpirewarning: 86400
pwdinhistory: 3
pwdmaxage: 172800
pwdminage: 0
pwdminlength: 2
pwdmustchange: false
createtimestamp: 20150302195541Z
creatorsname: cn=admin,cn=administrators,cn=dscc
entrydn: cn=testpwpolicy1,o=xxxxxxxx,o=isp
entryid: 28
hassubordinates: FALSE
modifiersname: cn=admin,cn=administrators,cn=dscc
modifytimestamp: 20150302195541Z
nsuniqueid: 0a0ca681-c11611e4-800799c3-4c540d75
numsubordinates: 0
parentid: 2
subschemasubentry: cn=schema
Thanks for any help.Hello,
A user entry references a custom password policy through the value of the operational attribute pwdPolicySubentry. When referenced by a user entry, a custom password policy overrides the default password policy for the instance.
It is unclear to me whether you want to assign the new password policy to an individual account or to every user in ou=people,o=xxxx,o=isp.
To assign a password policy to an individual account, just ddd the password policy DN to the values of the pwdPolicySubentry attribute of the user entry e.g.
$ cat pwp.ldif
dn: uid=dmiller,ou=people,o=xxxxxxx,o=isp
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=TestPWpolicy1,o=xxxxxxx,o=isp
$ ldapmodify -D cn=directory\ manager -w - -f pwp.ldif
Enter bind password:
modifying entry uid=dmiller,ou=people,o=xxxxxxx,o=isp
$ ldapsearch -D cn=directory\ manager -w - -b dc=xxxxxxx,o=isp \
"(uid=dmiller)" pwdPolicySubentry
Enter bind password:
version: 1
dn: uid=dmiller, ou=People, o=xxxxxxx,o=isp
pwdPolicySubentry: cn=TestPWpolicy1,o=xxxxxxx,o=isp
$
See Directory Server Password Policy - 11g Release 1 (11.1.1.7.0)
You can also assign a password policy to a set of users using cos/roles virtual attributes as described in section 8.3.4 at Directory Server Password Policy - 11g Release 1 (11.1.1.7.0)
-Sylvain
Please mark the response as helpful or correct when appropriate to make it easier for others to find it -
Password policy not working fully through SPML
We've come across a problem with password policy enforcement on IdM 6.0 where the "Number of Previous Passwords that Cannot be Reused" gets ignored. Consequently I can set the password back and forth between two values without error.
If I attempt this through the IdM password interface, I get the message:
{color:#ff0000}*Policy Violation (Password on Lighthouse User): New password cannot match any of the 4 previous passwords for this account.*
{color}
This is the response I am after through the SPML interface.
Should this be supported? If it should be, where might I be going astray.
The "Identity system account policy" set on the organisation I'm using is correctly configured to use the password policy as far as I can tell.
Edited by: SuperDuperJavaSnooper on Aug 19, 2009 9:44 PMHow do I go about reporting this as a bug of IdM 6.0?
-
Implementing password policie using Role and CoS
Hy all,
I have created a directory with the following partial structure (Sun directory 5.2 patch 2):
ou=people,o=accounts,c=an
|----- cn=user1
|----- cn=user2
|----- cn=user3
ou=services,o=accounts,c=an
|---------cn=user4
|---------cn=user5
|---------cn=user6
I want to assign different password policies based on the ou.
I read within the admin guide that there is a way to do that through CoS and Role: http://docs.sun.com/source/817-7613/useracct.html#wp19625
So I create following records:
- Customized Password Policy Container:
dn: cn=Customized Password Policy, c=an
objectClass: top
objectClass: nsContainer
cn: Customized Password Policy
- External User Customized Password Policy: (same as the global one)
dn: cn=externalUserPwdPolicy, cn=Customized Password Policy, c=an
objectClass: top
objectClass: passwordPolicy
cn: externalUserPwdPolicy
passwordInHistory: 5
passwordWarning: 432000
passwordExpireWithoutWarning: on
passwordRootdnMayBypassModsChecks: on
passwordLockout: on
passwordMaxFailure: 3
passwordMaxAge: 5184000
passwordCheckSyntax: off
passwordResetFailureCount: 1200
passwordMinLength: 8
passwordStorageScheme: SHA
passwordChange: on
passwordMinAge: 86400
passwordMustChange: off
passwordUnlock: off
passwordLockoutDuration: 3600
passwordExp: on
- Service Account Customized Password Policy: (same as the global one except that there is no expiration for password and the password minimum age is set to 2 days instead of one)
dn: cn=serviceAccountPwdPolicy, cn=Customized Password Policy, c=an
objectClass: top
objectClass: passwordPolicy
cn: serviceAccountPwdPolicy
passwordInHistory: 5
passwordWarning: 432000
passwordExpireWithoutWarning: on
passwordRootdnMayBypassModsChecks: on
passwordLockout: on
passwordMaxFailure: 3
passwordMaxAge: 5184000
passwordCheckSyntax: off
passwordResetFailureCount: 1200
passwordMinLength: 8
passwordStorageScheme: SHA
passwordChange: on
passwordMinAge: 172800
passwordMustChange: off
passwordUnlock: off
passwordLockoutDuration: 3600
passwordExp: off
- External User Role:
dn: cn=externalUserRole,c=an
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsFilteredRoleDefinition
cn: externalUserRole
nsRoleFilter: (&(entrydn=*o=accounts*)(entrydn=*ou=people*))
Description: Filtered role for external users
- Service Account Role
dn: cn=serviceAccountRole,c=an
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsFilteredRoleDefinition
cn: externalUserRole
nsRoleFilter: (&(entrydn=*o=accounts*)(entrydn=*ou=services*))
Description: Filtered role for external services account
- Template Container for Customized Password Policy:
dn: cn=pwdPolTemplateContainer, c=an
objectClass: top
objectClass: nscontainer
- Class of Service (CoS) Definition for password policy:
dn: cn=PwdPol_CoSDefinition, c=an
objectClass: top
objectClass: LDAPsubentry
objectClass: cosSuperDefinition
objectClass: cosClassicDefinition
cn: PwdPol_CoSDefinition
cosAttribute: passwordPolicySubentry operational
cosTemplateDn: cn=pwdPolTemplateContainer, c=an
cosSpecifier: nsRole
- Class of Service (CoS) Template for ExternalUserRole:
dn: cn="cn=externalUserRole, c=an", cn=PwdPolTemplateContainer, c=an
objectClass: top
objectClass: extensibleObject
objectClass: costemplate
objectClass: LDAPsubentry
cosPriority: 2
passwordPolicySubentry: cn=externalUserPwdPolicy, cn=Customized Password Policy, c=an
- Class of Service (CoS) Template for ServiceAccountRole:
dn: cn="cn=serviceAccountRole, c=an", cn=PwdPolTemplateContainer, c=an
objectClass: top
objectClass: extensibleObject
objectClass: costemplate
objectClass: LDAPsubentry
cosPriority: 2
passwordPolicySubentry: cn=serviceAccountPwdPolicy, cn=Customized Password Policy, c=an
- The thing is that it does not to work: if I disable the global password policy, I can set a 3 caracters password even if I specified in the sub password policy that passwordminlengnt is equal to 8 caracters.
Many thanks in advance for your help.
GregoireHmm,
Pretty cool.
I just finished doing it the hard-way when I saw your post :(.
I tried it anyways, and it did all the work that I had done by hand in the previous try. Which was ...
1) Creating the filtered role (same in both approaches).
2) Creating a Container for COS Templates.
3) Creating a COS Template with a dn having a cn string of the full dn to the role in 1) above. Had to use generic entry editor to add all the additional attributes as below ...
dn: cn="cn=TempFilter,ou=people,dc=example,dc=com",
�cn=PolTempl,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: LDAPsubentry
objectclass: costemplate
cosPriority: 1
passwordPolicySubentry: cn=TempPolicy,dc=example,dc=com
(started with a new costemplate and the added all the above attributes, also involved things like changing the naming attribute - the dn - from cosPriority to the one cn as shown above)
4) Creatiing a COS with ...
4.1) passwordpolicysubenty as a generated attribute that is overriding and operation (this is picked from the matched CoS template)
4.2) Use the template container's dn from 2) above for the TemplateDN value.
4.3) Use nsrole of the target enty to narrow down to the COS template as in 3) above. I.E. "template"->"attribute name" value is set to "nsRole"
(So when a user's nsrole maps to a cn value of an entry under the TemplateDN subtree. That template applies.) -
How to ignore the password policy in a custom workflow?
Hi,
We have a custom workflow which is called via SPML to provide 'Administrator Change Password' functionality in a portal.
Our password policy sets the String Quality rules and Number of Previous Passwords that Cannot be Reused. But we like to bypass the password policy when the password administrators (who have a admin role with a capability - 'Change Password Administrator'). At least, restriction ' Number of Previous Passwords that Cannot be Reused' need to be ignored (But password need to be added to the history... cannot disable adding passwords to history).
Please advice me how it could be achieved?
The workflow steps:
1. Checkout 'ChangeUserPassword' view for the user as an administrator
2. Set the new password in the view, set true to view.savePasswordHistory
3. Set password on the resources
4.Checkin the view
Thanks
SivaThanks eTech.
My main goal is to skip the password history check (new password can't be a last used 10 passwords) when admin change password workflow is launched. As you suggested , I created a special password policy exactly as our regular password policy excluding "Number of Previous Passwords that Cannot be Reused" setting.
Then before change the password of a user as admin, special policy is attached , password changed, and user's password policy is reverted back to regular one. The issue is, as the special policy does not enforce the password history check, the whole password history of the user is wiped out from the user object when the password is changed by admin change password workflow. We don't want this to happen.
Please guide me whether is anyway to achieve just ignoring the password history without any other impact on user.
Is adding passwords to user object's password history list is triggered by "Number of Previous Passwords that Cannot be Reused" setting of the password policy??
Thanks
Siva -
How to search for password policy
Hello,
Using DS 5.2:
I've created a test policy, dn: cn=Test Policy,ou=People, o=xxx, o=isp. I can apply the policy, I can see the policy in my backup ldifs, but I can't figure out how to search for and display it (and eventually, delete it) either from the command line using ldapsearch or form within the admin gui. Any help?What I would like to do is query my 8i instance for the current password policy
Can anyone provide a query to retrieve this info?connect as sys
in Oracle 8i and issue the command;
select object_name,object_type from all_objects where object_name like '%PASS%';
and
select object_name,object_type from all_objects where object_name like '%POLICY%';
I think , i'm not sure these policies would be transfered to 10g through migration except -if any- some of them are obsolete to 10g!!!!!
Regards,
Simon -
802.1x, IP Phones, MAB and AD password policy
I am currently working on an 802.1x pilot. I have successfully deployed certificates for PCs and users and I'm able to assign VLAN etc in a reliable fashion.
I would like to enable MAC Authentication Bypass on the voice VLAN for IP phones. The problem is, when I create a user with the phones MAC address as a user name, or AD Domain policy does not allow the password to also be the mac address. Disabling this policy temporarily for adding these users is not a credible solution for us. I'd rather not use third party software that allows for diversity in AD password policy.
I've seen it implied that the switch (3560 in my case) can be configured to send the Radius secret rather than the device MAC address as the device's password, is this true? If so, how?
Thanks!With MAC-Auth-Bypass, the end station (phone in your case) doesn't interact with the auth method at all. The switch authenticates the MAC after being learned by the switch on behalf of the end-station.
This is a limitation in Windows Server today. This can be controlled through a GPO in Server 2008. Another option(s) is to store the "phone user accounts" directly on the AAA server or another database that allows the ability for this.
Also, to authenticate a phone at all, and to support PCs, you need to configure Multi-Domain-Authentication (MDA) on the 3560. See here:
<http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA>
Hope this helps, -
Using class of service to manage password policy
We implemented password policy on our old DS across the board, which entailed finding all of the special administrative accounts used by software and setting an expiration date at the end of the epoch. I was wondering if a smarter way to do this is to create a class of service template for normal and special accounts and tie those into our user accounts. Has anyone done this?
Thanks.Sun DS 5.2 supposedly has support for the latest LDAP password policy internet draft which allows you to explicitly setup password policy on a subtree or user basis. It uses roles and class of service under the covers. I would use that instead of rolling your own.
-
Sun Directory Server Password Policy Problems
Hi,
I am using Sun Directory Server and Sun AM (2005Q1).
We are using SUN DS to configure the password policy to expire user passwords after 30 days.
Also, the warning has been set to "one day before expiry". However, when the warning IS displayed to the user and the user changes his/her password on display of the warning, even though the user's password expiration timestamp attribute contains a new timestamp (which is 30 days hence the date of change), on next login user is AGAIN thrown the warning that his/her password will expire in "HH hours: MM mins".
I do not understand what needs to be done to fix this. Any help would be appreciated.How is the user authenticated ? Through Access Manager or directly to the Directory Server ?
Access Manager can be configured to handle Password expiration, and so can Directory Server. I would advise you to check which system is actually throwing the warning.
Regards,
Ludovic -
How to list current password policy
Hello all,
This is my first post here. I just finished the DBA Workshop 1 course and my company is migrating from 8i to 10g.
Our primary DBA is on vacation and before he left asked me to look at the new 10g install he did in our test environment. I noticed on the OEM there were some policy violations and I'm using MetaLink and hopefully this forum to resolve them.
What I would like to do is query my 8i instance for the current password policy and apply those to our test 10g instance. Can anyone provide a query to retrieve this info?
Thanks,
BillWhat I would like to do is query my 8i instance for the current password policy
Can anyone provide a query to retrieve this info?connect as sys
in Oracle 8i and issue the command;
select object_name,object_type from all_objects where object_name like '%PASS%';
and
select object_name,object_type from all_objects where object_name like '%POLICY%';
I think , i'm not sure these policies would be transfered to 10g through migration except -if any- some of them are obsolete to 10g!!!!!
Regards,
Simon -
The setup:
We have the option "Password must: be reset on first user login" enabled in the Global Password Policy on our 10.9 / Mavericks server. We import new user accounts into Open Directory via a delimited text file and include a default password for each user.
What I've observed and tested:
When a user attempts to log into a computer that's bound to our Open Directory for the first time, they can enter anything in the password field and still receive the prompt to reset their password. They are never notified that they entered their default password incorrectly. The password reset will then fail (as it should), but they still aren't notified that this is the reason for the password reset failure. To put it another way: Seeing the prompt to reset your password would reasonably imply that you entered the default password correctly, but that's not the case at all.
The question:
Is this expected behavior? If it is, it doesn't seem logical. If this was the case in OS X Server 10.3 through 10.7 I never noticed it. Can anyone corroborate this with their own setup? Thanks in advance.
-- SteveSome follow up questions:
- How did you migrate (dsmig ldif or binary import)
- Did the accounts in .x have any custom password policies set?
For a "new" and a migrated entry, can you check if a passwordpolicysubentry is configured?
(search as directory manager and fetch the attribute) -
Unable to set Password Policy controls
When I call oracle.ldap.util.User.autheticateUser() I receive the exception "Unable to set Password Policy controls". What is the cause of this error? I was not able to find anything useful through google searches.
I am running everything inside ServiceMix. Furthermore, I am able to create a context and retrieve properties through oracle.ldap.util.User.getProperties().
Here is the stack trace:
my.company.Exception.AuthenticationException: Unable to set Password Policy controls
at my.company.OracleLdap.authenticateClient(OracleLdap.java:171)
at service.AuthenticationInInterceptor.isAuthenticated(AuthenticationInInterceptor.java:55)
at service.AuthenticationInInterceptor.handleMessage(AuthenticationInInterceptor.java:32)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:111)
at org.apache.cxf.transport.http_osgi.OsgiDestination.doMessage(OsgiDestination.java:80)
at org.apache.cxf.transport.http_osgi.OsgiServletController.invokeDestination(OsgiServletController.java:321)
at org.apache.cxf.transport.http_osgi.OsgiServletController.invoke(OsgiServletController.java:107)
at org.apache.cxf.transport.http_osgi.OsgiServlet.invoke(OsgiServlet.java:53)
at org.apache.cxf.transport.http_osgi.SpringOsgiServlet.invoke(SpringOsgiServlet.java:48)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:713)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:401)
at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.handle(HttpServiceServletHandler.java:64)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.handle(HttpServiceContext.java:111)
at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:68)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:945)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
Caused by: oracle.ldap.util.UtilException: Unable to set Password Policy controls
at oracle.ldap.util.User.authenticateUser(User.java:1243)
at my.company.OracleLdap.authenticateClient(OracleLdap.java:158)
... 29 more
Edited by: user1094798 on Feb 22, 2011 12:53 PM
Edited by: user1094798 on Feb 22, 2011 12:55 PM
Edited by: user1094798 on Feb 22, 2011 1:17 PMI fixed it by changing the way my InitialDirContext is created.
Previously I was using:
InitialDirContext ctx = oracle.ldap.util.jndi.ConnectionUtil.getDefaultDirCtx(hostname, portNum, adminName, adminPass);
Now I'm using:
Hashtable env = new HashTable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://" + hostname + ":" + portNum);
env.put(Context.SECURITY_PRINCIPAL, adminName);
env.put(Context.SECURITY_CREDENTIALS, adminPass);
InitialDirContext ctx = new InitialDirContext(env);
Edited by: user1094798 on Feb 23, 2011 8:29 AM -
OAM Password policy not working.
Hi All,
I am configuring a password policy in OAM which enforces the user to reset his password at first login. OAM is using OID as user store and I have added oblix password related objectclasses to OAM schema. OIM is used to provision all users to OID. I have also enabled the Checkbox Change on Reset in password policy.
I have also made certain attributes visible in OAM user manager such as obpasswordchageflag, oblastsuccesfullogin, oblastfaillogin etc.,
Once the user is created in OID through OIM, the values for attributes obpasswordchageflag, oblastsuccesfullogin, oblastfaillogin are empty.
Case1: obpasswordchangeflag attribute value is empty for user say oamtestuser. oamtestuser logs in to OAM protected application with default password provided in OIM. I could see the oblastsuccesfullogin attribute value updated in oamtestuser profile as expected. Similarly oblastfaillogin value also got updated for failed login as expected.
Case2: obpasswordchangeflag set to true manually in user profile for oamtestuser. oamtestuser logs into OAM protected application with default password. Upon submit, user is redirected the change password page which prompts the user to enter current password and new password. Upon submit user will be shown another page with backup button. Upon clicking back button, user is asked to login to the application once again with new password. Upon submit, user is shown change password page again instead of logging to application with new password. I have noticed that obpasswordchangeflag attribute value is still set as true.
Case3: After executing Case2, even after modifying the obpasschangeflag value to false or making empty, the attribute values of oblastsuccesfullogin and oblastfaillogin are not getting updated accordingly.
Please let me know if you have any clue on this.
This is really urgent. Would appreciate quick help.
Thanks.
Mahendra.HI Sagar,
Thanks for the response.
Another major update: When we tried creating user using OAM workflow, the obpasswordchangeflag got true value by default and password change functionality worked as expected. So it is obviously an issue with provisioning user through OIM. We manually created an attribute obpasswordchangeflag and provisioned a new user with value as true but still the user profile in OAM User Manager for attribute obpasswordchangeflag is empty. This means that there needs to be some mapping which we are missing i.e., an attribute in OIM has to be mapped correctly with OID attribute obpasswordchangeflag .
So we are searching for this mapping stuff. Do you have any other opinion on this?
Thanks
Mahendra. -
Custom Password policy for ProxyAgent
Solaris 10 Server Directory Server LDAP 6.3. Clients are Solaris 10.
The clients use "proxyagent" user located in ou=profile. When I create a Global Password policy and apply to my top level dc, then this service account can "expire". I can't have my service accounts expiring...
How do you create a custom filter with NO account lockout, expiration, etc? The DSCC wizard doesn't allow you to as the last step of the wizard must have a bug because even though you don't click the Lockout radio button, the webpage asks you to fill in a number for account lockout of 1 to 32768. Ugggh.
Question 2: how do you apply a custom password policy to ALL of ou=people? I can do it one by one to dn's under the ou=people, but I want it on the parent so new users get the custom password policy. Everything I try, the Global Password Policy wins. (And can't seem to be done via the DSCC but rather through command line)
Help.
Thanks,
SeanHow do you create a custom filter with NO account lockout, expiration, etc?
The DSCC wizard doesn't allow you to as the last step of the wizard must have
a bug because even though you don't click the Lockout radio button, the
webpage asks you to fill in a number for account lockout of 1 to 32768. Ugggh.Logged a new bug
http://sunsolve.sun.com/search/document.do?assetkey=1-1-6787917-1
The clients use "proxyagent" user located in ou=profile. When I create a Global Password
policy and apply to my top level dc, then this service account can "expire". I can't have
my service accounts expiring...Password policies have to be applied to individual accounts (manually or via CoS). So you
may need to create a new password policy and assign it to the proxyagent user. Since DSCC
does not seem to allow you to do that, best to munge it via the commandline (after specifying
the lockout in dscc). Yes, it's ugly but a bug has been logged. Please contact Sun Support if
you want a fix against 6.3 (quote the above bug number) -
OS X Server OD & Password Policy
Here's a question for someone that has experience with OD, network accounts and password policy.
All on 10.9 with the latest updates, there’s a Mac Mini OD Master offering DNS, File Sharing, Mail, Contacts, Calendar and another Mac Mini OD Replica. A total of 20 Macs binded to OD and using Network Accounts. Everything seems to be working fine but they have an OD Global Password Policy as follows:
- Passwords must:
- differ from account name
- contain at least one letter
- contain both uppercase and lowercase letters
- contain at least one numeric character
- contain at least 8 characters
- differ from last 3 passwords used
- be reset every 45 days
Everything is relatively working fine except for the Password Policy because of the following:
- Users are not getting any prompt about their password coming to expire
- When the user’s password expires and since they are not getting any warning, users suddenly get no access to services
- Some users are unable to successfully modify their password, they get prompted to change it and when entering the new password (when logging in through AFP), it shakes even though the new password complies with the Password Policy and the only way to get them logged in is by manually resetting the user’s password with the Server App.
Ideas and suggestions are greatly appreciated.thx - solved.
Just keep »identification« empty! :-o
Maybe you are looking for
-
How do i disable orientations for a specific view in my tab bar project without disabling for the other views? Any suggestions?
-
Hi, I would like to know if it's possible to update data in web forms : * periodically (every 10 seconds for examples) * from the server (in a trigger or something like that) for all clients connected Thanks
-
Verizon Iphone - GMAIL FETCH NOT WORKING
Like everyone else I just switched from AT&T to Verizon on both my and my wifes I4's and we absolutly love the service...however I've found a problem. GMAIL FETCH doesn't work period. The only way I can pull new mail is to manually open the mail prog
-
Strange behaviour...
OK, I'm new here, so hi everyone. I bet you'd all say my PSU is the prob (I know it's low on 12V), but the behaviour I got is still very strange. Installed FarCry, tried to play. GPU crashed (got notices from ATI driver). Whatever I did, FC would run
-
BLOCKING MATERIAL PRICE IN MM60
Dear All, Whether we can block the field "Material Price" in T.Code MM60? Only the authorized person should have access for viewing the material price. Pls advise me. Tks Mani.