Hummm... had not used shadowAccount, and removing the ppolicy-specific attributes allows the LDIF file to properly set up the account.
Thanks.
JFE.
From: "Joshua M. Miller" joshua@itsecureadmin.com To: Jack Emmerichs beamrider1@hotmail.com CC: openldap-software@openldap.org Subject: Re: Setting up user accounts with ppolicy attributes Date: Tue, 26 Jun 2007 07:17:53 -0700
Jack,
I haven't tried setting the pwdChangedTime, but I recently implemented ppolicy and every time a user changes their password, it sets this attribute to the current time, not sure if that was part of your question. On all NEW user entries that I create, the pwdChangedTime is already set so that the password policies apply to those users.
$ ldapsearch -x -H ldaps://host.example.org cn=default
dn: cn=default,ou=Policies,dc=example,dc=org cn: default objectClass: pwdPolicy objectClass: device pwdMaxAge: 7776000 pwdAttribute: userPassword pwdMinLength: 8 pwdInHistory: 5 pwdCheckQuality: 1 pwdExpireWarning: 604800 pwdLockout: TRUE pwdMaxFailure: 3 pwdLockoutDuration: 900 pwdAllowUserChange: TRUE pwdGraceAuthNLimit: 0
An example of one of my users:
$ ldapsearch -x -H ldaps://host.example.org/ uid=<uid>
dn: cn=First Last,ou=People,dc=example,dc=org givenName: First sn: Last cn: First Last uid: uid uidNumber: <uid #> loginShell: /bin/bash objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount gidNumber: <gid #> homeDirectory: /home/<uid> shadowLastChange: 13634
$ ldapsearch -x -H ldaps://host.example.org/ uid=<uid> +
dn: cn=first last,ou=People,dc=example,dc=org creatorsName: cn=manager,dc=example,dc=org createTimestamp: 20060501144730Z structuralObjectClass: inetOrgPerson entryUUID: 2d89674c-7b0d-102b-8606-4f7ba9469bfa pwdChangedTime: 20070515203623Z entryCSN: 20070515203623Z#000001#00#000000 modifiersName: cn=First Last,ou=People,dc=example,dc=org modifyTimestamp: 20070515203623Z entryDN: cn=First Last,ou=People,dc=example,dc=org subschemaSubentry: cn=Subschema hasSubordinates: FALSE
Thanks,
Joshua M. Miller - RHCE,VCP
Jack Emmerichs wrote:
Looking at the OpenLDAP documentation and the ppolicy.schema file, it appears that I need to include objectClass: pwdPolicy as an auxiliary class (along with posixAccount, which is the basic user account class), and then include attributes for pwdChangedTime, pwdAccountLockedTime, pwdHistory, etc. The ppolicy.schema file indicates that the format in the ldif file should actually be something like:
pwdChangedTime;pwd-userPassword: 20000103121520Z
for pwdChangedTime. The format for pwdHistory sounds really complex, and the doc indicates that if this attribute is missing, OpenLDAP will not support password history processing, so it sound like I need to get these attributes into the account struture.
Trouble is, if I try to include such values I either get an import failure without error messages, an error that says "no user modification allowed" (even when I'm adding an account), or an indication that I'm using an invalid format.
_________________________________________________________________ Get a preview of Live Earth, the hottest event this summer - only on MSN http://liveearth.msn.com?source=msntaglineliveearthhm