[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: attribute 'pwdPolicySubentry' cannot have multiple values



I'm pretty sure pwdPolicySubEntry requires the pwdPolicy objectClass in the target dn although that wouldn't explain the error message... Are you sure the attribute doesn't already exist? It is a system attribute so depending on the browser you are using at may not appear.

On Mar 19, 2010, at 6:59 PM, Chris Jacobs <Chris.Jacobs@apollogrp.edu> wrote:

Hello,

I've got my ldap infrastructure (mirrormode masters, 2 slaves per datacenter) working fantastic (I can clear a db on a remote slave and in less than 30 seconds after startup, it'll reacquire the entire db!).

I'm now having an issue with one of the very last things: getting a password policy into effect.

When I attempt to add the 'pwdPolicySubentry' attribute to a user account, I get the error:

Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute 'pwdPolicySubentry' cannot have multiple values Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check: attribute 'pwdPolicySubentry' cannot have multiple values

I get that error in the logs whether I try to add it by hand via Apache Directory Studio, or an ldif import/modify:

dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net

Here are the related slapd.conf overlay directives:

overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout

(Notice there's no ppolicy_default set - I'm still testing this feature out before I roll it out.)

And for completeness, here's the entry that I'm attempting to add this attribute to:

dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: ChrisJ Test
gidNumber: 200
homeDirectory: /home/chrisjtest
sn: chrisjtest
uid: chrisjtest
uidNumber: 583
description: ChrisJ Test
gecos: ChrisJ Test
loginShell: /bin/bash
shadowLastChange: 14657
userPassword:: <<snipped>>

And here's the password policy ldif:

dn: ou=policies,dc=unix,dc=aptimus,dc=net
objectClass: organizationalUnit
objectClass: top
ou: policies

dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdExpireWarning: 172800
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 1200
pwdMaxAge: 15897600
pwdMaxFailure: 3
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: TRUE

When I built openldap, I enabled all overlays (I know, not the most efficient), and when I attempt to add moduleload ppolicy.la or ppolicy.so I get in the logs:

line 18 (moduleload      ppolicy.la)
module_load: (ppolicy.la) already present (static)

Which I'm pretty sure means it's already loaded...

Any idea as to what I'm doing wrong?

Thanks,
- chris

Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations
Apollo Group | Apollo Marketing | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
email:  chris.jacobs@apollogrp.edu


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.