I'm trying to disable the password expiration for a certain subtree, but after I created that subtree policy, 389 started to store userpassword as plaintext for this subtree.
Steps to reproduce: 1. Enable global policy with password expiration 2. Create a subtree policy using ns-newpwpolicy.pl (without password expiration) 3. Change user password 4. After that, 389 start to storage userpassword as plaintext on this subtree
If I use 389 console to create the subtree policy, everything works fine.
Analysing the nsPwPolicyContainer and nsPwTemplateEntry could not find any difference
ldapsearch -b 'cn="cn=nsPwTemplateEntry,OU=APLICACOES,dc=my,dc=domain",cn=nsPwPolicyContainer,OU=APLICACOES,dc=my,dc=domain' -D "cn=Directory Manager" -x -W '(objectclass=ldapsubentry)'
icyContainer, APLICACOES, my.domain dn: cn=cn\3DnsPwTemplateEntry\2COU\3DAPLICACOES\2Cdc\3Dmy\2Cdc\3Ddomain,cn=n sPwPolicyContainer,OU=APLICACOES,dc=my,dc=domain objectClass: extensibleObject objectClass: costemplate objectClass: ldapsubentry objectClass: top cosPriority: 1 cn: cn=nsPwTemplateEntry,OU=APLICACOES,dc=my,dc=domain
search: 2 result: 0 Success
Need investigation.
Metadata Update from @nhosoi: - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @mreynolds: - Issue close_status updated to: None - Issue tagged with: Investigate
Metadata Update from @mreynolds: - Issue assigned to mreynolds
Using ns-newpwpolicy.pl does not set the storage scheme. So using CLEAR is the default behaviour. However the console incorrectly shows that a password storage scheme is set for the subtree policy, but in fact it is not. So this is a console bug.
For now you just need to set passwordStorageScheme in the subtree policy and everything will work as expected.
Adjusting milestone to admin server...
Metadata Update from @mreynolds: - Issue set to the milestone: 389-admin,console 1.1.44 (was: 0.0 NEEDS_TRIAGE)
This is no longer an issue in the new Cockpit UI available in 389-ds-base-1.4.x. Since 389-admin server/console has been deprecated I'm am closing this ticket.
Metadata Update from @mreynolds: - Custom field reviewstatus adjusted to None - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2106
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Login to comment on this ticket.