When ppolicy is set as default, it applies globally to the entire LDAP tree:
dn: cn=default,ou=policies,dc=zednax,dc=com
Is it possible to set the ppolicy by group?
Regards,
Andy
As far as I know you can only set it by person. By adding the pwdPolicySubentry object to the person and have it's value equal the dn of the policy you want to enforce upon it. If it is possible by group, I'd like to know.
Adam
On Thu, Jun 12, 2008 at 9:49 AM, Andy Loughran andy@zrmt.com wrote:
When ppolicy is set as default, it applies globally to the entire LDAP tree:
dn: cn=default,ou=policies,dc=zednax,dc=com
Is it possible to set the ppolicy by group?
Regards,
Andy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Guys,
Sorry to be a pain, but is there just this one #default ppolicy - and exceptions need to be made on an individual basis?
Regards,
Andy Loughran
Adam Leach wrote:
As far as I know you can only set it by person. By adding the pwdPolicySubentry object to the person and have it's value equal the dn of the policy you want to enforce upon it. If it is possible by group, I'd like to know.
Adam
On Thu, Jun 12, 2008 at 9:49 AM, Andy Loughran <andy@zrmt.com mailto:andy@zrmt.com> wrote:
When ppolicy is set as default, it applies globally to the entire LDAP tree:
dn: cn=default,ou=policies,dc=zednax,dc=com
Is it possible to set the ppolicy by group?
Regards,
Andy
-- Adam Leach BS Computer/Electrical Engineering West Virginia University System Administrator - Raytheon (304)677-4455
andylockran wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Guys,
Sorry to be a pain, but is there just this one #default ppolicy - and exceptions need to be made on an individual basis?
There's one configurable default:
database bdb suffix dc=example,dc=com overlay ppolicy ppolicy_default cn=Standard,ou=Policies,dc=example,dc=com"
man slapo-ppolicy:
"Every account that should be subject to password policy control should have a pwdPolicySubentry attribute containing the DN of a valid pwdPolicy entry, or they can simply use the configured default. In this way different users may be managed according to different policies."
Gavin,
Ah, so that would suggest that adding a:
pwdPolicySubentry: cn: lesser,ou=ppolicy,dc=example,dc=com
to users of a specific group would allow the entire group to be managed by that particular policy.
Thanks.
Andy
----- Original Message ----- From: "Gavin Henry" ghenry@suretecsystems.com To: "andylockran" andy@zrmt.com Cc: "Adam Leach" adam.m.leach@gmail.com; openldap-software@openldap.org Sent: Tuesday, June 17, 2008 11:18 AM Subject: Re: ppolicy by group
andylockran wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Guys,
Sorry to be a pain, but is there just this one #default ppolicy - and exceptions need to be made on an individual basis?
There's one configurable default:
database bdb suffix dc=example,dc=com overlay ppolicy ppolicy_default cn=Standard,ou=Policies,dc=example,dc=com"
man slapo-ppolicy:
"Every account that should be subject to password policy control should have a pwdPolicySubentry attribute containing the DN of a valid pwdPolicy entry, or they can simply use the configured default. In this way different users may be managed according to different policies."
-- Kind Regards,
Gavin Henry.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP.
Andy Loughran wrote:
Gavin,
Ah, so that would suggest that adding a:
pwdPolicySubentry: cn: lesser,ou=ppolicy,dc=example,dc=com
to users of a specific group would allow the entire group to be managed by that particular policy.
"Every account that should be subject to password policy control should have a pwdPolicySubentry attribute containing the DN of a valid pwdPolicy entry, or they can simply use the configured default. In this way different users may be managed according to different policies."
That's what it says ;-)
Gavin,
Sorry, in the excitement of being shown how to apply multiple policies - I missed how to actually do this by group.
Is there a way to add the pwdPolicySubentry: field to a Group - rather than a user. So that any user in the group will have to abide by the policy - rather than having to apply a different policy to the user?
Regards,
Andy ----- Original Message ----- From: "Gavin Henry" ghenry@suretecsystems.com To: "Andy Loughran" andy@zrmt.com Cc: openldap-software@openldap.org; "Adam Leach" adam.m.leach@gmail.com Sent: Tuesday, June 17, 2008 11:47 AM Subject: Re: ppolicy by group
Andy Loughran wrote:
Gavin,
Ah, so that would suggest that adding a:
pwdPolicySubentry: cn: lesser,ou=ppolicy,dc=example,dc=com
to users of a specific group would allow the entire group to be managed by that particular policy.
"Every account that should be subject to password policy control should have a pwdPolicySubentry attribute containing the DN of a valid pwdPolicy entry, or they can simply use the configured default. In this way different users may be managed according to different policies."
That's what it says ;-)
-- Kind Regards,
Gavin Henry.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP.
Andy Loughran wrote:
Is there a way to add the pwdPolicySubentry: field to a Group - rather than a user. So that any user in the group will have to abide by the policy - rather than having to apply a different policy to the user?
pwdPolicySubentry applys only to this particular entry to which it was added. I don't know any configuration which allows what you're after.
Ciao, Michael.
Gavin Henry wrote:
man slapo-ppolicy:
"Every account that should be subject to password policy control should have a pwdPolicySubentry attribute containing the DN of a valid pwdPolicy entry, or they can simply use the configured default. In this way different users may be managed according to different policies."
Is it safe to conclude from that that if there is no default policy configured then unless an account has a pwdPolicySubentry containing the DN of a valid pwdPolicy entry it will not be subject to password policy?
Also is it generally safe to configure the policy overlay in a currently running and used openldap server? This would not affect current authentication for example? Having not configured a default, if the above is true, one could by hand switch on the policy by setting pwdPolicySubentry?
Thank you, Jeroen
Jeroen van Aart wrote:
Gavin Henry wrote:
man slapo-ppolicy:
"Every account that should be subject to password policy control should have a pwdPolicySubentry attribute containing the DN of a valid pwdPolicy entry, or they can simply use the configured default. In this way different users may be managed according to different policies."
Is it safe to conclude from that that if there is no default policy configured then unless an account has a pwdPolicySubentry containing the DN of a valid pwdPolicy entry it will not be subject to password policy?
Read the manpage yourself, it's all explained there already.
Howard Chu wrote:
Read the manpage yourself, it's all explained there already.
Thanks for the advice. I did that already and upon closer re-reading indeed it answers some of my questions:
"pwdPolicySubentry
This attribute refers directly to the pwdPolicy subentry that is to be used for this particular directory user. If pwdPolicySubentry exists, it must contain the DN of a valid pwdPolicy object. If it does not exist, the ppolicy module will enforce the default password policy rules on the user associated with this authenticating DN. If there is no default, or the referenced subentry does not exist, then no policy rules will be enforced."
However I have been unable to verify that if I reconfigure slapd to use ppolicy then its current functionality will not be influenced? I assume that is the case given the above quote. But it'd be nice to have it confirmed.
Thank you, Jeroen
Jeroen van Aart wrote:
Howard Chu wrote:
Read the manpage yourself, it's all explained there already.
Thanks for the advice. I did that already and upon closer re-reading indeed it answers some of my questions:
"pwdPolicySubentry
This attribute refers directly to the pwdPolicy subentry that is to be used for this particular directory user. If pwdPolicySubentry exists, it must contain the DN of a valid pwdPolicy object. If it does not exist, the ppolicy module will enforce the default password policy rules on the user associated with this authenticating DN. If there is no default, or the referenced subentry does not exist, then no policy rules will be enforced."
However I have been unable to verify that if I reconfigure slapd to use ppolicy then its current functionality will not be influenced? I assume that is the case given the above quote. But it'd be nice to have it confirmed.
Thank you, Jeroen
If you don't have a default ppolicy defined and no pwdPolicySubentry then slapd will perform as it is currently configured.
openldap-software@openldap.org
-
Adam Leach -
Andy Loughran -
andylockran
-
Gavin Henry -
Gavin Henry -
Howard Chu -
Jeroen van Aart -
Michael Ströder