I’ve been reading the Password Policy section of the Admin Guide.  I am currently at this portion of the setup (the default policy is set up)

You can create additional policy objects as needed.

There are two ways password policy can be applied to individual objects:

1. The pwdPolicySubentry in a user's object - If a user's object has a pwdPolicySubEntry attribute specifying the DN of a policy object, then the policy defined by that object is applied.

2. Default password policy - If there is no specific pwdPolicySubentry set for an object, and the password policy module was configured with the DN of a default policy object and if that object exists, then the policy defined in that object is applied.

When trying to add the pwdPolicySubentry attribute, I receive the following:  “According to the schema attribute pwdPolicySubentry is not allowed.”

First, can someone explain the meaning of #2.  The way, that I read that is that if the “pwdPolicySubentry” is not available, and the policy was created…then the policy is applied.  Is that correct?

My policy looks like:

dn: cn=default,ou=pwpolicies,dc=example,dc=ldap

objectClass: top

objectClass: organizationalRole

objectClass: pwdPolicy

cn: default

pwdAttribute: 2.5.4.35

pwdAllowUserChange: TRUE

pwdExpireWarning: 14

pwdLockout: TRUE

pwdLockoutDuration: 300

pwdMaxAge: 15552000

pwdMaxFailure: 5

pwdFailureCountInterval: 0

pwdMinAge: 1

pwdMinLength: 9

pwdMustChange: TRUE

Thanks in advance.

John D. Borresen (Dave)

Linux/Unix Systems Administrator

MIT  Lincoln Laboratory

Humanitarian Assistance and Disaster Relief (HADR) Systems

244 Wood St

Lexington, MA  02420

Email: john.borresen@ll.mit.edu