On Mon, Nov 19, 2012 at 03:14:42PM +0000, jeevan kc wrote:
I want to enable password policy on Openldap 2.4.30(to all users. I see that the ppolicy.ldif and ppolicy.schema are listed under /usr/local/etc/openldap/ schema but are not present on /usr/local/etc/openldap/slapd.d/cn=config folder. So do I need to add the policy.ldif to the cn=config folder ? Is there like specific procedure to do that or can I add manually with ldapadd ? Also how do I enable that schema to all users ? Please help.
The Admin Guide is a good place to start:
http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
To get the schema into your config, you should include it. e.g if using slapd.conf you need a line like this in the global section:
include /usr/local/etc/openldap/schema/ppolicy.schema
Now in the database section holding your user entries:
database hdb suffix "dc=dir,dc=example,dc=org" directory "/var/lib/ldap/db" ... overlay ppolicy ppolicy_default "cn=Password Policy,dc=dir,dc=example,dc=org" ppolicy_hash_cleartext
It is important that the default policy entry is in the same backend DB as the users that it will control (ITS#7262).
Your actual policy can then be loaded from an LDIF file, e.g.:
# Default password policy # Applies to userPassword (2.5.4.35) # dn: cn=Password Policy,dc=dir,dc=example,dc=org" objectClass: organizationalRole objectClass: pwdPolicy cn: Password Policy description: The default password policy pwdAttribute: 2.5.4.35 pwdLockout: TRUE pwdAllowUserChange: TRUE pwdMinLength: 9
It will apply to all users unless you place an explicit policy link in the pwdPolicySubEntry attribute of the user entry to override it.
Andrew