If I recall correctly, the default policy is applied w/o an entry in the record.   If you want to apply a specific policy that is not the default, you have to have the entry in the account for the password entry

e.g. an entry like this would override the default

pwdPolicySubentry: cn=staff,ou=policies,dc=x,dc=y

where if that entry was missing, then it would simply use the default entry setup in the slapd.conf or cn=config .


"

       ppolicy_default <policyDN>
              Specify the DN of the pwdPolicy object to use when no specific policy is set on a given user's entry. If there is no specific policy for an entry
              and no default is given, then no policies will be enforced.
"  --source   man slapo-ppolicy

I hope that is helpful

Sellers


On Mar 11, 2008, at 7:38 PM, Ryan Steele wrote:
Hey folks,

If this is the wrong list, please let me know and I'd be happy to send
it to the right one.

As I've mentioned in a previous post (which hasn't been posted yet, so I
apologize if you've seen any of this information already) I've got a FC6
box, with OpenLDAP 2.3.30.  I'm attempting to get ppolicy to work, and I
can now successfully start OpenLDAP with the ppolicy directive in it:

### abridged slapd.conf ###
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/ppolicy.schema

modulepath /usr/lib/openldap

overlay ppolicy
ppolicy_default "cn=Password Policy,ou=policies,ou=example,ou=com"

access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange
by self write
by * auth
access to *
by * read

database bdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX
directory /var/lib/ldap

index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
sasl-secprops none


### Password Policy entry via slapcat ###
dn: cn=Password Policy,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: Password Policy
pwdAttribute: 2.5.4.35
pwdMaxAge: 3888000
pwdInHistory: 2
pwdCheckQuality: 1
pwdMinLength: 6
pwdExpireWarning: 432000
pwdGraceAuthNLimit: 5
pwdMaxFailure: 10
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
pwdLockoutDuration: 7776000
pwdLockout: TRUE
structuralObjectClass: device
entryUUID: 2e1eee98-83ea-102c-9736-1d2794f3677b
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20080311190746Z
entryCSN: 20080311190746Z#000000#00#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20080311190746Z


[root@server openldap]# /etc/init.d/ldap start
Checking configuration files for slapd: WARNING: No dynamic config
support for overlay ppolicy.
config file testing succeeded
[ OK ]
Starting slapd: [ OK ]

From what I gather, since I'm using a slapd.conf and not a back-bdb,
that warning does not apply to me.

However, when I add users, I see no special attributes that show they're
being regulated by ppolicy (Googling turned up some ldif's that had
pwdPolicySubentry attributes - should I have that?) Additionally, I can
enter passwords such as 'a' - single characters, and it doesn't complain
at all.  In fact, none of the restrictions are being enforced, and I'm
really scratching my head.  The options I compiled with were:

       --enable-plugins \
       --enable-ppolicy=yes \
       --enable-slapd \
       --enable-slurpd \
       --enable-multimaster \
       --enable-bdb \
       --enable-hdb \
       --enable-ldap \
       --enable-ldbm \
       --with-ldbm-api=%{ldbm_backend} \
       --enable-meta \
       --enable-monitor \
       --enable-null \
       --enable-shell \
       --enable-sql=mod \
       --disable-perl \
       --disable-shared \
       --disable-dynamic \
       --enable-static \
       --with-kerberos=k5only



Thanks in advance for any help...

Best Regards,
Ryan

______________________________________________
Chris G. Sellers | NITLE  - Technology Team
AIM: imthewherd | GoogleTalk: cgseller@gmail.com