[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password policy

To: jeevan kc <jeev_biz@hotmail.com>
Subject: Re: Password policy
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Thu, 22 Nov 2012 11:32:15 +0000
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <SNT137-W1F6CB317E1B579F37605BFD560@phx.gbl>
References: <SNT137-W1F6CB317E1B579F37605BFD560@phx.gbl>
Resent-date: Thu, 22 Nov 2012 15:03:22 +0000
Resent-from: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Resent-message-id: <20121122150322.GA15256@slab.skills-1st.co.uk>
Resent-sender: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Resent-to: openldap-technical@openldap.org
User-agent: Mutt/1.5.21 (2010-09-15)

On Mon, Nov 19, 2012 at 03:14:42PM +0000, jeevan kc wrote:

> I want to enable password policy on Openldap 2.4.30(to all users. I see that
> the ppolicy.ldif and ppolicy.schema are listed under /usr/local/etc/openldap/
> schema but are not present on /usr/local/etc/openldap/slapd.d/cn=config folder.
> So do I need to add the policy.ldif to the cn=config folder ? Is there like
> specific procedure to do that or can I add manually with ldapadd ? Also how do
> I enable that schema to all users ? Please help.

The Admin Guide is a good place to start:

http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies

To get the schema into your config, you should include it. e.g
if using slapd.conf you need a line like this in the global
section:

include         /usr/local/etc/openldap/schema/ppolicy.schema

Now in the database section holding your user entries:

database hdb
suffix "dc=dir,dc=example,dc=org"
directory "/var/lib/ldap/db"
...
overlay ppolicy
ppolicy_default "cn=Password Policy,dc=dir,dc=example,dc=org"
ppolicy_hash_cleartext

It is important that the default policy entry is in the same
backend DB as the users that it will control (ITS#7262).

Your actual policy can then be loaded from an LDIF file, e.g.:

# Default password policy
# Applies to userPassword (2.5.4.35)
#
dn: cn=Password Policy,dc=dir,dc=example,dc=org"
objectClass: organizationalRole
objectClass: pwdPolicy
cn: Password Policy
description: The default password policy
pwdAttribute: 2.5.4.35
pwdLockout: TRUE
pwdAllowUserChange: TRUE
pwdMinLength: 9

It will apply to all users unless you place an explicit policy
link in the pwdPolicySubEntry attribute of the user entry to override it.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

References:
- Password policy
  - From: jeevan kc <jeev_biz@hotmail.com>

Prev by Date: Re: OpenLDAP Proxy to AD of User Objects with full/correct schema
Next by Date: Re: slapo-rwm overlay and backend databases
Index(es):
- Chronological
- Thread