Thank you for your reply.
But then how can I use this:
dn: cn=search,ou=users,ou=my_dn changetype: modify add: pwdPolicySubentry pwdPolicy: "cn=user,ou=pwpolicies,ou=my_dn"
I want to exclude user: search from default policy
From docs:
Finally the account entry for the user(s) to whom this policy applies are modified to point to the specific policy using the following LDIF fragment:
# point the users entry to the specific policy dn: cn=John Smith,ou=people,dc=example,dc=com changetype: modify add: pwdPolicySubentry pwdPolicy: "cn=user,ou=pwpolicies,dc=example,dc=com" ------------------------------------------------------------------------ ---- When I tried run it in my LDAP browser I got:
Line 4, Column 0: Unexpected line found: 'pwdPolicy: "cn=user,ou=pwpolicies,ou=my_dn"'. Line 4, Column 0: The 'add' modification operation must have at least one value specified (Attribute: 'pwdPolicySubentry'). Line 4: Unexpected end of LDIF file. The last record will not be committed. Import data complete. Elapsed time: 0:00. Entries processed: 0. Warning(s): 0, error(s): 3.
Can you please tell may be another way, how to exclude user:search from:
dn: cn=std, ou=ppolicy, ou=my_dn pwdCheckModule: check_password.so pwdMaxFailure: 6 pwdMustChange: TRUE pwdAttribute: userPassword pwdMinLength: 7 pwdSafeModify: FALSE pwdInHistory: 4 pwdGraceAuthNLimit: 3 pwdCheckQuality: 1 objectClass: pwdPolicy objectClass: top objectClass: device objectClass: pwdPolicyChecker pwdLockoutDuration: 18 pwdAllowUserChange: TRUE pwdExpireWarning: 432000 pwdLockout: TRUE pwdMaxAge: 7776000
Thank you
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, January 21, 2011 9:36 AM To: Alexey Shalin Cc: openldap-technical@openldap.org Subject: Re: How to enable 'pwdPolicySubentry' in ppolicy.schema
Alexey Shalin wrote:
Hello,
How to enable 'pwdPolicySubentry' in ppolicy.schema, I added this
into
ppolicy.schema
Never modify the schema files distributed with OpenLDAP.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.23
NAME 'pwdPolicySubentry' DESC 'The pwdPolicy subentry in effect for this object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE USAGE directoryOperation )But after that my slapd do not started.
Of course.
Schema files are only for defining user attributes. Operational attributes must be implemented in code and cannot be defined from a schema config file.
This particular attribute is already implemented in the ppolicy overlay so there is no need to define it again anyway.
should I upgrade openldap to the last ver ?
That would make no difference here, but it's always best to stay up to date.