-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Mon 8/27/2007 9:04 PM To: Aaron Richton Cc: Paul J. Pathiakis; openldap-software@openldap.org Subject: Re: Syncrepl and proxyAgent password expiration
Aaron Richton wrote:
I'm really not that familiar with ppolicy (we don't use it here), so somebody else might have more specific details. However, I'd imagine that you either need to modify the
ppolicy_default "cn=Standard Policy,ou=Policies,dc=eagleaccess,dc=com"
using the rootdn, or you need to modify the entry "cn=proxyAgent,ou=Profile,dc=eagleaccess,dc=com" using the rootdn, to either update the proxyAgent entry (so its' password is not expired) or grant an exemption (in the policy) to the proxyAgent.
As noted in the slapo-ppolicy(5) manpage, you can simply set the pwdPolicySubentry attribute of the target entry to point it at a non-default policy. So create a new policy for the proxyAgent user that does not use password expiration, and point the proxyAgent's pwdPolicySubentry attribute at that new policy.
Howard,
I can't seem to find that attribute in my schemas. I'm running 2.3.36 and I'd expect that pwdPolicySubentry would be there. What do I need to the proxyAgent user account for objectclasses so that I get the pwdPolicySubentry included? I'm pretty new to the password policy overlay (heck, overlay's in general).
I've deleted and recreated my proxyAgent user.
It has:
inetorgperson posixaccount top pwdpolicy shadowaccount
for its objectclasses.
I'm making the assumption that since it has pwdpolicy, it should have pwdpolicysubentry, however, it's not part of pwdpolicy as defined in the man page and it's supposed to be accessible from the entry that I'm creating. I guess that a user account is not what I want or is?
Thank you for any insight. (BTW, the man page was cool. :-) )
Paul Pathiakis