[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Setting up user accounts with ppolicy attributes
Jack,
I haven't tried setting the pwdChangedTime, but I recently implemented
ppolicy and every time a user changes their password, it sets this
attribute to the current time, not sure if that was part of your
question. On all NEW user entries that I create, the pwdChangedTime is
already set so that the password policies apply to those users.
$ ldapsearch -x -H ldaps://host.example.org cn=default
dn: cn=default,ou=Policies,dc=example,dc=org
cn: default
objectClass: pwdPolicy
objectClass: device
pwdMaxAge: 7776000
pwdAttribute: userPassword
pwdMinLength: 8
pwdInHistory: 5
pwdCheckQuality: 1
pwdExpireWarning: 604800
pwdLockout: TRUE
pwdMaxFailure: 3
pwdLockoutDuration: 900
pwdAllowUserChange: TRUE
pwdGraceAuthNLimit: 0
An example of one of my users:
$ ldapsearch -x -H ldaps://host.example.org/ uid=<uid>
dn: cn=First Last,ou=People,dc=example,dc=org
givenName: First
sn: Last
cn: First Last
uid: uid
uidNumber: <uid #>
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
gidNumber: <gid #>
homeDirectory: /home/<uid>
shadowLastChange: 13634
$ ldapsearch -x -H ldaps://host.example.org/ uid=<uid> +
dn: cn=first last,ou=People,dc=example,dc=org
creatorsName: cn=manager,dc=example,dc=org
createTimestamp: 20060501144730Z
structuralObjectClass: inetOrgPerson
entryUUID: 2d89674c-7b0d-102b-8606-4f7ba9469bfa
pwdChangedTime: 20070515203623Z
entryCSN: 20070515203623Z#000001#00#000000
modifiersName: cn=First Last,ou=People,dc=example,dc=org
modifyTimestamp: 20070515203623Z
entryDN: cn=First Last,ou=People,dc=example,dc=org
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
Thanks,
--
Joshua M. Miller - RHCE,VCP
Jack Emmerichs wrote:
Looking at the OpenLDAP documentation and the ppolicy.schema file, it
appears that I need to include objectClass: pwdPolicy as an auxiliary
class (along with posixAccount, which is the basic user account class),
and then include attributes for pwdChangedTime, pwdAccountLockedTime,
pwdHistory, etc. The ppolicy.schema file indicates that the format in
the ldif file should actually be something like:
pwdChangedTime;pwd-userPassword: 20000103121520Z
for pwdChangedTime. The format for pwdHistory sounds really complex,
and the doc indicates that if this attribute is missing, OpenLDAP will
not support password history processing, so it sound like I need to get
these attributes into the account struture.
Trouble is, if I try to include such values I either get an import
failure without error messages, an error that says "no user modification
allowed" (even when I'm adding an account), or an indication that I'm
using an invalid format.