Hello,
I've got my ldap infrastructure (mirrormode masters, 2 slaves per datacenter) working fantastic (I can clear a db on a remote slave and in less than 30 seconds after startup, it'll reacquire the entire db!).
I'm now having an issue with one of the very last things: getting a password policy into effect.
When I attempt to add the 'pwdPolicySubentry' attribute to a user account, I get the error:
Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute 'pwdPolicySubentry' cannot have multiple values
Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check: attribute 'pwdPolicySubentry' cannot have multiple values
I get that error in the logs whether I try to add it by hand via Apache Directory Studio, or an ldif import/modify:
dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
Here are the related slapd.conf overlay directives:
overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout
(Notice there's no ppolicy_default set - I'm still testing this feature out before I roll it out.)
And for completeness, here's the entry that I'm attempting to add this attribute to:
dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: ChrisJ Test
gidNumber: 200
homeDirectory: /home/chrisjtest
sn: chrisjtest
uid: chrisjtest
uidNumber: 583
description: ChrisJ Test
gecos: ChrisJ Test
loginShell: /bin/bash
shadowLastChange: 14657
userPassword:: <<snipped>>
And here's the password policy ldif:
dn: ou=policies,dc=unix,dc=aptimus,dc=net
objectClass: organizationalUnit
objectClass: top
ou: policies
dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdExpireWarning: 172800
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 1200
pwdMaxAge: 15897600
pwdMaxFailure: 3
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: TRUE
When I built openldap, I enabled all overlays (I know, not the most efficient), and when I attempt to add moduleload ppolicy.la or ppolicy.so I get in the logs:
line 18 (moduleload ppolicy.la)
module_load: (ppolicy.la) already present (static)
Which I'm pretty sure means it's already loaded...
Any idea as to what I'm doing wrong?
Thanks,
- chris
Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations
Apollo Group | Apollo Marketing | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jacobs(a)apollogrp.edu
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.