If I recall correctly, the default policy is applied w/o an entry in the record. If you want to apply a specific policy that is not the default, you have to have the entry in the account for the password entry
e.g. an entry like this would override the default
pwdPolicySubentry: cn=staff,ou=policies,dc=x,dc=y
where if that entry was missing, then it would simply use the default entry setup in the slapd.conf or cn=config .
"
ppolicy_default <policyDN> Specify the DN of the pwdPolicy object to use when no specific policy is set on a given user's entry. If there is no specific policy for an entry and no default is given, then no policies will be enforced. " --source man slapo-ppolicy
I hope that is helpful
Sellers
On Mar 11, 2008, at 7:38 PM, Ryan Steele wrote:
Hey folks,
If this is the wrong list, please let me know and I'd be happy to send it to the right one.
As I've mentioned in a previous post (which hasn't been posted yet, so I apologize if you've seen any of this information already) I've got a FC6 box, with OpenLDAP 2.3.30. I'm attempting to get ppolicy to work, and I can now successfully start OpenLDAP with the ppolicy directive in it:
### abridged slapd.conf ### include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/ppolicy.schema
modulepath /usr/lib/openldap
overlay ppolicy ppolicy_default "cn=Password Policy,ou=policies,ou=example,ou=com"
access to attrs = userPassword ,sambaNTPassword ,sambaLMPassword ,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange by self write by * auth access to * by * read
database bdb suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX directory /var/lib/ldap
index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub sasl-secprops none
### Password Policy entry via slapcat ### dn: cn=Password Policy,ou=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: Password Policy pwdAttribute: 2.5.4.35 pwdMaxAge: 3888000 pwdInHistory: 2 pwdCheckQuality: 1 pwdMinLength: 6 pwdExpireWarning: 432000 pwdGraceAuthNLimit: 5 pwdMaxFailure: 10 pwdFailureCountInterval: 0 pwdMustChange: FALSE pwdAllowUserChange: TRUE pwdSafeModify: TRUE pwdLockoutDuration: 7776000 pwdLockout: TRUE structuralObjectClass: device entryUUID: 2e1eee98-83ea-102c-9736-1d2794f3677b creatorsName: cn=admin,dc=example,dc=com createTimestamp: 20080311190746Z entryCSN: 20080311190746Z#000000#00#000000 modifiersName: cn=admin,dc=example,dc=com modifyTimestamp: 20080311190746Z
[root@server openldap]# /etc/init.d/ldap start Checking configuration files for slapd: WARNING: No dynamic config support for overlay ppolicy. config file testing succeeded [ OK ] Starting slapd: [ OK ]
From what I gather, since I'm using a slapd.conf and not a back-bdb,
that warning does not apply to me.
However, when I add users, I see no special attributes that show they're being regulated by ppolicy (Googling turned up some ldif's that had pwdPolicySubentry attributes - should I have that?) Additionally, I can enter passwords such as 'a' - single characters, and it doesn't complain at all. In fact, none of the restrictions are being enforced, and I'm really scratching my head. The options I compiled with were:
--enable-plugins \ --enable-ppolicy=yes \ --enable-slapd \ --enable-slurpd \ --enable-multimaster \ --enable-bdb \ --enable-hdb \ --enable-ldap \ --enable-ldbm \ --with-ldbm-api=%{ldbm_backend} \ --enable-meta \ --enable-monitor \ --enable-null \ --enable-shell \ --enable-sql=mod \ --disable-perl \ --disable-shared \ --disable-dynamic \ --enable-static \ --with-kerberos=k5only
Thanks in advance for any help...
Best Regards, Ryan
______________________________________________ Chris G. Sellers | NITLE - Technology Team 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GoogleTalk: cgseller@gmail.com