Re: attribute 'pwdPolicySubentry' cannot have multiple values

[Tyler Gates <tgates81@gmail.com>]

I'm pretty sure pwdPolicySubEntry requires the pwdPolicy objectClass  
in the target dn although that wouldn't explain the error message...  
Are you sure the attribute doesn't already exist? It is a system  
attribute so depending on the browser you are using at may not appear.

On Mar 19, 2010, at 6:59 PM, Chris Jacobs <Chris.Jacobs@apollogrp.edu>  
wrote:

> Hello,
>
> I've got my ldap infrastructure (mirrormode masters, 2 slaves per  
> datacenter) working fantastic (I can clear a db on a remote slave  
> and in less than 30 seconds after startup, it'll reacquire the  
> entire db!).
>
> I'm now having an issue with one of the very last things: getting a  
> password policy into effect.
>
> When I attempt to add the 'pwdPolicySubentry' attribute to a user  
> account, I get the error:
>
> Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry  
> (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute  
> 'pwdPolicySubentry' cannot have multiple values
> Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check:  
> attribute 'pwdPolicySubentry' cannot have multiple values
>
> I get that error in the logs whether I try to add it by hand via  
> Apache Directory Studio, or an ldif import/modify:
>
> dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
> changetype: modify
> add: pwdPolicySubentry
> pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
>
> Here are the related slapd.conf overlay directives:
>
> overlay ppolicy
> ppolicy_hash_cleartext
> ppolicy_use_lockout
>
> (Notice there's no ppolicy_default set - I'm still testing this  
> feature out before I roll it out.)
>
> And for completeness, here's the entry that I'm attempting to add  
> this attribute to:
>
> dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> cn: ChrisJ Test
> gidNumber: 200
> homeDirectory: /home/chrisjtest
> sn: chrisjtest
> uid: chrisjtest
> uidNumber: 583
> description: ChrisJ Test
> gecos: ChrisJ Test
> loginShell: /bin/bash
> shadowLastChange: 14657
> userPassword:: <<snipped>>
>
> And here's the password policy ldif:
>
> dn: ou=policies,dc=unix,dc=aptimus,dc=net
> objectClass: organizationalUnit
> objectClass: top
> ou: policies
>
> dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> cn: default
> pwdAttribute: userPassword
> pwdAllowUserChange: TRUE
> pwdExpireWarning: 172800
> pwdFailureCountInterval: 0
> pwdGraceAuthNLimit: 0
> pwdInHistory: 10
> pwdLockout: TRUE
> pwdLockoutDuration: 1200
> pwdMaxAge: 15897600
> pwdMaxFailure: 3
> pwdMinLength: 8
> pwdMustChange: FALSE
> pwdSafeModify: TRUE
>
> When I built openldap, I enabled all overlays (I know, not the most  
> efficient), and when I attempt to add moduleload ppolicy.la or  
> ppolicy.so I get in the logs:
>
> line 18 (moduleload      ppolicy.la)
> module_load: (ppolicy.la) already present (static)
>
> Which I'm pretty sure means it's already loaded...
>
> Any idea as to what I'm doing wrong?
>
> Thanks,
> - chris
>
> Chris Jacobs, Jr. Linux Administrator, Information Technology &  
> Operations
> Apollo Group | Apollo Marketing | Aptimus, Inc.
> 2001 6th Ave | Ste 3200 | Seattle, WA 98121
> phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
> email:  chris.jacobs@apollogrp.edu
>
>
> This message is private and confidential. If you have received it in  
> error, please notify the sender and remove it from your system.