| If I recall correctly, the default policy is applied w/o an entry in the record. If you want to apply a specific policy that is not the default, you have to have the entry in the account for the password entry
e.g. an entry like this would override the default
pwdPolicySubentry: cn=staff,ou=policies,dc=x,dc=y
where if that entry was missing, then it would simply use the default entry setup in the slapd.conf or cn=config .
"
ppolicy_default <policyDN> Specify the DN of the pwdPolicy object to use when no specific policy is set on a given user's entry. If there is no specific policy for an entry and no default is given, then no policies will be enforced. " --source man slapo-ppolicy
I hope that is helpful
Sellers
On Mar 11, 2008, at 7:38 PM, Ryan Steele wrote: Hey folks,
If this is the wrong list, please let me know and I'd be happy to send
it to the right one.
As I've mentioned in a previous post (which hasn't been posted yet, so I
apologize if you've seen any of this information already) I've got a FC6
box, with OpenLDAP 2.3.30. I'm attempting to get ppolicy to work, and I
can now successfully start OpenLDAP with the ppolicy directive in it:
### abridged slapd.conf ###
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/ppolicy.schema
modulepath /usr/lib/openldap
overlay ppolicy
ppolicy_default "cn=Password Policy,ou=policies,ou=example,ou=com"
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange
by self write
by * auth
access to *
by * read
database bdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX
directory /var/lib/ldap
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
sasl-secprops none
### Password Policy entry via slapcat ###
dn: cn=Password Policy,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: Password Policy
pwdAttribute: 2.5.4.35
pwdMaxAge: 3888000
pwdInHistory: 2
pwdCheckQuality: 1
pwdMinLength: 6
pwdExpireWarning: 432000
pwdGraceAuthNLimit: 5
pwdMaxFailure: 10
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
pwdLockoutDuration: 7776000
pwdLockout: TRUE
structuralObjectClass: device
entryUUID: 2e1eee98-83ea-102c-9736-1d2794f3677b
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20080311190746Z
entryCSN: 20080311190746Z#000000#00#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20080311190746Z
[root@server openldap]# /etc/init.d/ldap start
Checking configuration files for slapd: WARNING: No dynamic config
support for overlay ppolicy.
config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
From what I gather, since I'm using a slapd.conf and not a back-bdb,
that warning does not apply to me.
However, when I add users, I see no special attributes that show they're
being regulated by ppolicy (Googling turned up some ldif's that had
pwdPolicySubentry attributes - should I have that?) Additionally, I can
enter passwords such as 'a' - single characters, and it doesn't complain
at all. In fact, none of the restrictions are being enforced, and I'm
really scratching my head. The options I compiled with were:
--enable-plugins \
--enable-ppolicy=yes \
--enable-slapd \
--enable-slurpd \
--enable-multimaster \
--enable-bdb \
--enable-hdb \
--enable-ldap \
--enable-ldbm \
--with-ldbm-api=%{ldbm_backend} \
--enable-meta \
--enable-monitor \
--enable-null \
--enable-shell \
--enable-sql=mod \
--disable-perl \
--disable-shared \
--disable-dynamic \
--enable-static \
--with-kerberos=k5only
Thanks in advance for any help...
Best Regards,
Ryan
______________________________________________
Chris G. Sellers | NITLE - Technology Team |