Re: ppolicy: invalid value for attributeType pwAttribute -- for "userPassword"

[Howard Chu <hyc@symas.com>]

Dieter Kluenter wrote:
> Hi,
>
> Chris Shenton<chris.shenton@nasa.gov>  writes:
>
> > On Feb 23, 2008, at 3:11 AM, Dieter Kluenter wrote:
> >
> > > Chris Shenton<chris.shenton@nasa.gov>  writes:
> > >
> > > > I'm running 2.3.39 and using ppolicy to enforce our password
> > > > policy. Got an LDIF file:
> [...]
> > > > pwdAttribute:                   userPassword
> > > pwdAttribute value should contain the OID of attribute type
> > > userpassword,
> > > which is 2.5.4.35
> > Thanks, that got me going.  I could swear I used "userPassword" in a
> > previous version of OpenLDAP.

Yes. That is intended to work; the ppolicy overlay installs a handler to map 
attribute names to their OIDs so that the main slapd code will recognize them.

> > Perhaps the docs and LDIF file should mention that you need to use the
> > OID rather than the name?
> > Both the man page for slapo-ppolicy and draft-behera-ldap-password-
> > policy-xx.txt say "userPassword".
>
> The only reference I have at hand right now is my own documentation,
> but I could swear that the original information had been in some
> documentation, either man slapo-ppolicy,
> draft-behera-ldap-password-policy or in ppolicy.c. But someone with
> more detailed inside knowledge may comment on this issue and clarify.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/