-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Mon 8/27/2007 9:04 PM
To: Aaron Richton
Cc: Paul J. Pathiakis; openldap-software@openldap.org
Subject: Re: Syncrepl and proxyAgent password expiration
Aaron Richton wrote:
> I'm really not that familiar with ppolicy (we don't use it here), so
> somebody else might have more specific details. However, I'd imagine that
> you either need to modify the
>
>> ppolicy_default "cn=Standard Policy,ou=Policies,dc=eagleaccess,dc=com"
>
> using the rootdn, or you need to modify the entry
> "cn=proxyAgent,ou=Profile,dc=eagleaccess,dc=com" using the rootdn, to
> either update the proxyAgent entry (so its' password is not expired) or
> grant an exemption (in the policy) to the proxyAgent.
As noted in the slapo-ppolicy(5) manpage, you can simply set the
pwdPolicySubentry attribute of the target entry to point it at a non-default
policy. So create a new policy for the proxyAgent user that does not use
password expiration, and point the proxyAgent's pwdPolicySubentry attribute at
that new policy.
>
> On Mon, 27 Aug 2007, Paul J. Pathiakis wrote:
Howard/Aaron (everyone),
I figured out what I needed after Howard pointed me in the proper direction. I exported the DB into LDIF. I modified the entry for proxyagent to have:
pwdPolicySubentry: cn=proxyPolicy,ou=Policies,dc=eagleaccess,dc=com
after, of course, creating the proxyPolicy password policy with little or no controls on its expiration so that Solaris clients can bind via proxy and query the database.
I then reloaded, restarted, and everything just worked.
Thanks to everyone!
Paul Pathiakis