[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl and proxyAgent password expiration



Aaron Richton wrote:
I'm really not that familiar with ppolicy (we don't use it here), so somebody else might have more specific details. However, I'd imagine that you either need to modify the

ppolicy_default "cn=Standard Policy,ou=Policies,dc=eagleaccess,dc=com"

using the rootdn, or you need to modify the entry "cn=proxyAgent,ou=Profile,dc=eagleaccess,dc=com" using the rootdn, to either update the proxyAgent entry (so its' password is not expired) or grant an exemption (in the policy) to the proxyAgent.

As noted in the slapo-ppolicy(5) manpage, you can simply set the pwdPolicySubentry attribute of the target entry to point it at a non-default policy. So create a new policy for the proxyAgent user that does not use password expiration, and point the proxyAgent's pwdPolicySubentry attribute at that new policy.

On Mon, 27 Aug 2007, Paul J. Pathiakis wrote:

Hi,

Could someone tell me what type of entry I could create (inetOrgPerson, account, etc) in the ou=Profile,dc=eagleaccess,dc=com directory that would allow me to have a proxy password entry without a password policy overlay control?

I think this is my last hurdle to get through here.

Thank you,

Paul Pathiakis


-----Original Message----- From: Aaron Richton [mailto:richton@nbcs.rutgers.edu] Sent: Mon 8/27/2007 5:20 PM To: Paul J. Pathiakis Cc: openldap-software@openldap.org Subject: RE: Syncrepl and proxyAgent password expiration

Something is clearly feeding

ppolicy_bind: Entry cn=proxyAgent,ou=Profile,dc=eagleaccess,dc=com
to your server. If you're looking to deprecate that and make a new DN
starting "uid=proxyAgent", you're going to have to change everything that
has the old one.

On Mon, 27 Aug 2007, Paul J. Pathiakis wrote:

Hi,

just as someone was answering the question, I got the second part of it
by just using the rootdn of the master provider.  (I went back to square
one and wiped everything on the consumer.)  Now, I'm stuck with a
"simple" problem of the Solaris 9 clients in my network coming back with
the Error 49 problem of invalid credentials.  I've created a security
object for the proxyAgent and I'm trying to initialize its use.
However, this now has a userid attribute instead of cn.  Is this going
to cause me any grief?

Thank you,

Paul Pathiakis




--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/