I've been working with OpenLDAP 2.3.30 to set up ppolicy processing. I think I have the policies set up correctly in the DLAP database using the following ppolicy.ldif file:
dn: ou=policies, dc=my-domain,dc=com ou: policies objectClass: top objectClass: organizationalUnit
dn: cn=default,ou=policies,dc=my-domain,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword # 30 day password limit (2592000 seconds) with an even longer expire warning for testing. pwdExpireWarning: 2592001 pwdMaxAge: 2592000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 6 pwdAllowUserChange: TRUE # Items not currently used. pwdMinAge: 0 pwdGraceAuthnLimit: 0 pwdLockout: FALSE pwdLockoutDuration: 0 pwdMaxFailure: 0 pwdFailureCountInterval: 0 pwdMustChange: FALSE pwdSafeModify: FALSE
and the following entries in the slapd.conf file:
# password policy overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=my-domain,dc=com"
However, I'm having trouble creating user accounts.
Looking at the OpenLDAP documentation and the ppolicy.schema file, it appears that I need to include objectClass: pwdPolicy as an auxiliary class (along with posixAccount, which is the basic user account class), and then include attributes for pwdChangedTime, pwdAccountLockedTime, pwdHistory, etc. The ppolicy.schema file indicates that the format in the ldif file should actually be something like:
pwdChangedTime;pwd-userPassword: 20000103121520Z
for pwdChangedTime. The format for pwdHistory sounds really complex, and the doc indicates that if this attribute is missing, OpenLDAP will not support password history processing, so it sound like I need to get these attributes into the account struture.
Trouble is, if I try to include such values I either get an import failure without error messages, an error that says "no user modification allowed" (even when I'm adding an account), or an indication that I'm using an invalid format.
Does anyone have an example LDIF file that shows how to set up a user account to track ppolicy processing? I have the feeling I'm missing something really obvious here, but I absolutely don't see it yet.
Thanks for any help that anyone can provide.
JFE.
_________________________________________________________________ Hotmail to go? Get your Hotmail, news, sports and much more! http://mobile.msn.com