[Date Prev][Date Next] [Chronological] [Thread] [Top]

Setting up user accounts with ppolicy attributes

To: openldap-software@openldap.org
Subject: Setting up user accounts with ppolicy attributes
From: "Jack Emmerichs" <beamrider1@hotmail.com>
Date: Mon, 25 Jun 2007 10:25:17 -0500

I've been working with OpenLDAP 2.3.30 to set up ppolicy processing. I think I have the policies set up correctly in the DLAP database using the following ppolicy.ldif file:

dn: ou=policies, dc=my-domain,dc=com
ou: policies
objectClass: top
objectClass: organizationalUnit

dn: cn=default,ou=policies,dc=my-domain,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword # 30 day password limit (2592000 seconds) with an even longer expire warning for testing. pwdExpireWarning: 2592001 pwdMaxAge: 2592000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 6 pwdAllowUserChange: TRUE # Items not currently used. pwdMinAge: 0 pwdGraceAuthnLimit: 0 pwdLockout: FALSE pwdLockoutDuration: 0 pwdMaxFailure: 0 pwdFailureCountInterval: 0 pwdMustChange: FALSE pwdSafeModify: FALSE

and the following entries in the slapd.conf file:

# password policy
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=my-domain,dc=com"


However, I'm having trouble creating user accounts.

Looking at the OpenLDAP documentation and the ppolicy.schema file, it appears that I need to include objectClass: pwdPolicy as an auxiliary class (along with posixAccount, which is the basic user account class), and then include attributes for pwdChangedTime, pwdAccountLockedTime, pwdHistory, etc. The ppolicy.schema file indicates that the format in the ldif file should actually be something like:

  pwdChangedTime;pwd-userPassword: 20000103121520Z

for pwdChangedTime. The format for pwdHistory sounds really complex, and the doc indicates that if this attribute is missing, OpenLDAP will not support password history processing, so it sound like I need to get these attributes into the account struture.

Trouble is, if I try to include such values I either get an import failure without error messages, an error that says "no user modification allowed" (even when I'm adding an account), or an indication that I'm using an invalid format.

Does anyone have an example LDIF file that shows how to set up a user account to track ppolicy processing? I have the feeling I'm missing something really obvious here, but I absolutely don't see it yet.

Thanks for any help that anyone can provide.

JFE.

_________________________________________________________________ Hotmail to go? Get your Hotmail, news, sports and much more! http://mobile.msn.com

Follow-Ups:
- Re: Setting up user accounts with ppolicy attributes
  - From: "Joshua M. Miller" <joshua@itsecureadmin.com>
- Re: Setting up user accounts with ppolicy attributes
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: Unable to locat TLS libs - help needed
Next by Date: Problem with ldapmodify: Internal (implementation specific) error (80)
Index(es):
- Chronological
- Thread