On Wednesday 12 March 2008 01:38:52 Ryan Steele wrote:
Hey folks,
If this is the wrong list, please let me know and I'd be happy to send it to the right one.
As I've mentioned in a previous post (which hasn't been posted yet, so I apologize if you've seen any of this information already) I've got a FC6 box, with OpenLDAP 2.3.30. I'm attempting to get ppolicy to work, and I can now successfully start OpenLDAP with the ppolicy directive in it:
### abridged slapd.conf ### include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/ppolicy.schema
modulepath /usr/lib/openldap
overlay ppolicy ppolicy_default "cn=Password Policy,ou=policies,ou=example,ou=com"
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowM ax,sambaPwdLastSet,sambaPwdMustChange by self write by * auth access to * by * read
database bdb suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX directory /var/lib/ldap
index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub sasl-secprops none
[...]
However, when I add users, I see no special attributes that show they're being regulated by ppolicy (Googling turned up some ldif's that had pwdPolicySubentry attributes - should I have that?) Additionally, I can enter passwords such as 'a' - single characters, and it doesn't complain at all. In fact, none of the restrictions are being enforced, and I'm really scratching my head.
In all my configs using ppolicy, I have the overlay as a database overlay, not a global overlay. Since I require this (my production servers have databases that *must* not have ppolicy, and one that must have it), I haven't tested with a global overlay. So, move all the ppolicy configuration (not the schema or moduleload, just the overlay and ppolicy_default) to the end of your config ...
Regards, Buchan