-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Mon 8/27/2007 9:04 PM To: Aaron Richton Cc: Paul J. Pathiakis; openldap-software@openldap.org Subject: Re: Syncrepl and proxyAgent password expiration
Aaron Richton wrote:
I'm really not that familiar with ppolicy (we don't use it here), so somebody else might have more specific details. However, I'd imagine that you either need to modify the
ppolicy_default "cn=Standard Policy,ou=Policies,dc=eagleaccess,dc=com"
using the rootdn, or you need to modify the entry "cn=proxyAgent,ou=Profile,dc=eagleaccess,dc=com" using the rootdn, to either update the proxyAgent entry (so its' password is not expired) or grant an exemption (in the policy) to the proxyAgent.
As noted in the slapo-ppolicy(5) manpage, you can simply set the pwdPolicySubentry attribute of the target entry to point it at a non-default policy. So create a new policy for the proxyAgent user that does not use password expiration, and point the proxyAgent's pwdPolicySubentry attribute at that new policy.
On Mon, 27 Aug 2007, Paul J. Pathiakis wrote:
Howard/Aaron (everyone),
I figured out what I needed after Howard pointed me in the proper direction. I exported the DB into LDIF. I modified the entry for proxyagent to have:
pwdPolicySubentry: cn=proxyPolicy,ou=Policies,dc=eagleaccess,dc=com
after, of course, creating the proxyPolicy password policy with little or no controls on its expiration so that Solaris clients can bind via proxy and query the database.
I then reloaded, restarted, and everything just worked.
Thanks to everyone!
Paul Pathiakis