dieter@dkluenter.de wrote:
Full_Name: Dieter Kluenter Version: 2.4.11 OS: openSUSE-11.0 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.142.237.56)
Hello, man slapo-ppolicy(5) says that the overlay depends on objectclass pwdPolicy and Every account that should be subject to password policy control should have pwdPolicySubentry...
As usual, it's important that you read every word in the manpage and not skip over anything. The manpage says:
Every account that should be subject to password policy control should have a pwdPolicySubentry attribute containing the DN of a valid pwdPolicy entry, or they can simply use the configured default. <<
This means the pwdPolicy entry is some other entry, not that user entries must have the pwdPolicy class. Yes, the overlay depends on the pwdPolicy class because entries of pwdPolicy class must be used to store the policy definitions. It doesn't say that user entries must have pwdPolicy class and it would be stupid to store the policy definitions in the user entries. And it would be pointless to require a pwdPolicySubentry attribute to point to the relevant policy if the policy was simply stored in the user entry.
Use your brain.
This ITS will be closed.
But ppolicy is controlling every enty, even those without attribute pwdPolicy and attribute pwdPolicySubentry. I have created a test entry, which is not subject to password policy but got locked out after 3 binds with wrong password.
dn: cn=pw tester,o=avci,c=de cn: pw tester createTimestamp: 20080808132851Z creatorsName: cn=admin,o=avci,c=de description: Password Tester entryCSN: 20080808132851.203028Z#000000#000#000000 entryDN: cn=pw tester,o=avci,c=de entryUUID: af06a7e2-f999-102c-8d8e-df96a2a401d4 hasSubordinates: FALSE modifiersName: cn=admin,o=avci,c=de modifyTimestamp: 20080808132851Z objectClass: person pwdAccountLockedTime: 20080808133126Z pwdChangedTime: 20080808132851Z pwdFailureTime: 20080808133058Z pwdFailureTime: 20080808133109Z pwdFailureTime: 20080808133126Z sn: tester structuralObjectClass: person subschemaSubentry: cn=Subschema userPassword: tested
-Dieter
-
hyc@symas.com