-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Mon 8/27/2007 9:04 PM
To: Aaron Richton
Cc: Paul J. Pathiakis; openldap-software@openldap.org
Subject: Re: Syncrepl and proxyAgent password expiration

Aaron Richton wrote:
> I'm really not that familiar with ppolicy (we don't use it here), so
> somebody else might have more specific details. However, I'd imagine that
> you either need to modify the
>
>> ppolicy_default "cn=Standard Policy,ou=Policies,dc=eagleaccess,dc=com"
>
> using the rootdn, or you need to modify the entry
> "cn=proxyAgent,ou=Profile,dc=eagleaccess,dc=com" using the rootdn, to
> either update the proxyAgent entry (so its' password is not expired) or
> grant an exemption (in the policy) to the proxyAgent.

As noted in the slapo-ppolicy(5) manpage, you can simply set the
pwdPolicySubentry attribute of the target entry to point it at a non-default
policy. So create a new policy for the proxyAgent user that does not use
password expiration, and point the proxyAgent's pwdPolicySubentry attribute at
that new policy.
>
> On Mon, 27 Aug 2007, Paul J. Pathiakis wrote:


Howard/Aaron (everyone),

I figured out what I needed after Howard pointed me in the proper direction.  I exported the DB into LDIF.  I modified the entry for proxyagent to have:

pwdPolicySubentry: cn=proxyPolicy,ou=Policies,dc=eagleaccess,dc=com

after, of course, creating the proxyPolicy password policy with little or no controls on its expiration so that Solaris clients can bind via proxy and query the database.

I then reloaded, restarted, and everything just worked.

Thanks to everyone!

Paul Pathiakis