-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Mon 8/27/2007 9:04 PM
To: Aaron Richton
Cc: Paul J. Pathiakis; openldap-software@openldap.org
Subject: Re: Syncrepl and proxyAgent password expiration

Aaron Richton wrote:
> I'm really not that familiar with ppolicy (we don't use it here), so
> somebody else might have more specific details. However, I'd imagine that
> you either need to modify the
>
>> ppolicy_default "cn=Standard Policy,ou=Policies,dc=eagleaccess,dc=com"
>
> using the rootdn, or you need to modify the entry
> "cn=proxyAgent,ou=Profile,dc=eagleaccess,dc=com" using the rootdn, to
> either update the proxyAgent entry (so its' password is not expired) or
> grant an exemption (in the policy) to the proxyAgent.

As noted in the slapo-ppolicy(5) manpage, you can simply set the
pwdPolicySubentry attribute of the target entry to point it at a non-default
policy. So create a new policy for the proxyAgent user that does not use
password expiration, and point the proxyAgent's pwdPolicySubentry attribute at
that new policy.


Howard,

I can't seem to find that attribute in my schemas.  I'm running 2.3.36 and I'd expect that pwdPolicySubentry would be there.  What do I need to the proxyAgent user account for objectclasses so that I get the pwdPolicySubentry included?
I'm pretty new to the password policy overlay (heck, overlay's in general).

I've deleted and recreated my proxyAgent user.

It has:

inetorgperson
posixaccount
top
pwdpolicy
shadowaccount

for its objectclasses.

I'm making the assumption that since it has pwdpolicy, it should have pwdpolicysubentry, however, it's not part of pwdpolicy as defined in the man page and it's supposed to be accessible from the entry that I'm creating.  I guess that a user account is not what I want or is?

Thank you for any insight.  (BTW, the man page was cool. :-) )

Paul Pathiakis