Re: Syncrepl and proxyAgent password expiration

[Howard Chu <hyc@symas.com>]

Aaron Richton wrote:
> I'm really not that familiar with ppolicy (we don't use it here), so 
> somebody else might have more specific details. However, I'd imagine that 
> you either need to modify the
>
> > ppolicy_default "cn=Standard Policy,ou=Policies,dc=eagleaccess,dc=com"
>
> using the rootdn, or you need to modify the entry 
> "cn=proxyAgent,ou=Profile,dc=eagleaccess,dc=com" using the rootdn, to 
> either update the proxyAgent entry (so its' password is not expired) or 
> grant an exemption (in the policy) to the proxyAgent.

As noted in the slapo-ppolicy(5) manpage, you can simply set the 
pwdPolicySubentry attribute of the target entry to point it at a non-default 
policy. So create a new policy for the proxyAgent user that does not use 
password expiration, and point the proxyAgent's pwdPolicySubentry attribute at 
that new policy.
> On Mon, 27 Aug 2007, Paul J. Pathiakis wrote:
>
> > Hi,
> >
> > Could someone tell me what type of entry I could create (inetOrgPerson, 
> > account, etc) in the ou=Profile,dc=eagleaccess,dc=com directory that 
> > would allow me to have a proxy password entry without a password policy 
> > overlay control?
> >
> > I think this is my last hurdle to get through here.
> >
> > Thank you,
> >
> > Paul Pathiakis
> >
> >
> > -----Original Message-----
> > From: Aaron Richton [mailto:richton@nbcs.rutgers.edu]
> > Sent: Mon 8/27/2007 5:20 PM
> > To: Paul J. Pathiakis
> > Cc: openldap-software@openldap.org
> > Subject: RE: Syncrepl and proxyAgent password expiration
> >
> > Something is clearly feeding
> >
> > > ppolicy_bind: Entry cn=proxyAgent,ou=Profile,dc=eagleaccess,dc=com
> > to your server. If you're looking to deprecate that and make a new DN
> > starting "uid=proxyAgent", you're going to have to change everything that
> > has the old one.
> >
> > On Mon, 27 Aug 2007, Paul J. Pathiakis wrote:
> >
> > > Hi,
> > >
> > > just as someone was answering the question, I got the second part of it
> > > by just using the rootdn of the master provider.  (I went back to square
> > > one and wiped everything on the consumer.)  Now, I'm stuck with a
> > > "simple" problem of the Solaris 9 clients in my network coming back with
> > > the Error 49 problem of invalid credentials.  I've created a security
> > > object for the proxyAgent and I'm trying to initialize its use.
> > > However, this now has a userid attribute instead of cn.  Is this going
> > > to cause me any grief?
> > >
> > > Thank you,
> > >
> > > Paul Pathiakis


--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/