I've got a question regarding the ppolicy overlay. I've read the docs I can find for it on the web, but there's a couple of holes in them and in my knowledge.
I've got the config set up (schema, module load, external check library) and such. I've got the default policy DN in the database and such.
From slapd.conf: overlay ppolicy ppolicy_default \ "cn=DefaultPassword,ou=Policies,dc=billing,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
From ldapsearch -b "ou=policies...": dn: cn=DefaultPassword,ou=Policies,dc=billing,dc=com cn: DefaultPassword objectClass: top objectClass: device objectClass: pwdPolicy pwdAttribute: userPassword pwdMinAge: 86400 pwdMaxAge: 7776000 pwdExpireWarning: 604800 pwdGraceAuthNLimit: 3 pwdMinLength: 10 pwdCheckQuality: 2 pwdMaxFailure: 3 pwdLockoutDuration: 180 pwdFailureCountInterval: 120 pwdInHistory: 4 pwdAllowUserChange: TRUE pwdMustChange: TRUE pwdSafeModify: TRUE
When I add a user and do an ldapsearch of that user, should I see any of the ppolicy user attributes such as "pwdReset" or "pwdChangedTime" in the entry right off the bat or must something happen first (such as having the user change their password)? I ask because I see nothing and hence don't know if ppolicy is ruling the roost or not.
Does ppolicy only affect a specific objectClass of entry (e.g. "inetOrgPerson") or will it take effect on any entry with a "userPassword" entry? None of my user accounts have "inetOrgPerson" object classes. Typical entry:
dn: uid=testuser,ou=People,dc=billing,dc=com uid: testuser cn: Test User objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMin: 1 shadowMax: 90 shadowWarning: 7 loginShell: /bin/bash gecos: Test User homeDirectory: /home/testuser uidNumber: 32004 gidNumber: 32004 userPassword:: OXgtJnhFM2VsZVls shadowLastChange: 13978
Oh, by the way, that user was JUST added.