Re: Password Policy setting

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Tuesday, 5 January 2010 03:14:44 Saavedra, Gisella wrote:

> $ ldapadd -H ldap://localhost:666 -x -D "cn=Manager,dc=zes_example,dc=com"
>  -w secret  -f /etc/openldap/data/ppolicy.ldif adding new entry
>  "ou=pwdpolicies,dc=zes_example,dc=com"
> 
> adding new entry "cn=default,ou=pwdpolicies,dc=zes_example,dc=com"
> ldapadd: Object class violation (65)
>         additional info: no structural object class provided

This is LDAP basics, nothing to do with ppolicy really, and not necessarily 
OpenLDAP-specific either.

[...]

> # Default Password Policy
> dn: cn=default,ou=pwdpolicies,dc=zes_example,dc=com
> objectClass: pwdPolicy

pwdPolicy is an auxiliary objectclass. Besides it, you need a structural 
objectclass which doesn't impose any other attribute requirements, and allows 
the 'cn' attribute. You could use 'device' or 'organizationalRole', which 
should be in the default schema, or the 'namedObject' one (which is not in 
default schema).

For example, you could solve this by adding:

objectclass: organizationalRole

> cn: default
> # User can change his/her password
> pwdAllowUserChange: TRUE
> # Return warning to bind attempt (seconds) -- 3 days
> pwdExpireWarning: 259200
> # Interval in seconds to reset failure pwd count
> pwdFailureCountInterval: 100
> # Do not allow to bind on expired passwords
> pwdGraceAuthNLimit:  0
> # Reject any password changes in this list
> pwdInHistory: 3
> # Lock out account when user tries more than x attempts using invalid
>  password pwdLockout: TRUE
> # Do not allow the system to unlock the account
> pwdLockoutDuration: 0
> # Consecutinve # of failure attempts
> pwdMaxFailure: 5
> # How long the password lasts before user has to change it (seconds)  -- 90
>  days pwdMaxAge: 77760000
> # Password length
> pwdMinLength: 6


You could also use other existing entries (e.g. an existing container entry) 
to hold the password policy.

Regards,
Buchan