Thank you for your reply.
But then how can I use this:
dn: cn=search,ou=users,ou=my_dn changetype: modify add: pwdPolicySubentry pwdPolicy: "cn=user,ou=pwpolicies,ou=my_dn"
I want to exclude user: search from default policy
From docs:
Finally the account entry for the user(s) to whom this policy applies are modified to point to the specific policy using the following LDIF fragment:
# point the users entry to the specific policy dn: cn=John Smith,ou=people,dc=example,dc=com changetype: modify add: pwdPolicySubentry pwdPolicy: "cn=user,ou=pwpolicies,dc=example,dc=com" ------------------------------------------------------------------------ ---- When I tried run it in my LDAP browser I got:
Line 4, Column 0: Unexpected line found: 'pwdPolicy: "cn=user,ou=pwpolicies,ou=my_dn"'. Line 4, Column 0: The 'add' modification operation must have at least one value specified (Attribute: 'pwdPolicySubentry'). Line 4: Unexpected end of LDIF file. The last record will not be committed. Import data complete. Elapsed time: 0:00. Entries processed: 0. Warning(s): 0, error(s): 3.
Can you please tell may be another way, how to exclude user:search from:
dn: cn=std, ou=ppolicy, ou=my_dn pwdCheckModule: check_password.so pwdMaxFailure: 6 pwdMustChange: TRUE pwdAttribute: userPassword pwdMinLength: 7 pwdSafeModify: FALSE pwdInHistory: 4 pwdGraceAuthNLimit: 3 pwdCheckQuality: 1 objectClass: pwdPolicy objectClass: top objectClass: device objectClass: pwdPolicyChecker pwdLockoutDuration: 18 pwdAllowUserChange: TRUE pwdExpireWarning: 432000 pwdLockout: TRUE pwdMaxAge: 7776000
Thank you
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, January 21, 2011 9:36 AM To: Alexey Shalin Cc: openldap-technical@openldap.org Subject: Re: How to enable 'pwdPolicySubentry' in ppolicy.schema
Alexey Shalin wrote:
Hello,
How to enable 'pwdPolicySubentry' in ppolicy.schema, I added this
into
ppolicy.schema
Never modify the schema files distributed with OpenLDAP.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.23
NAME 'pwdPolicySubentry' DESC 'The pwdPolicy subentry in effect for this object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE USAGE directoryOperation )
But after that my slapd do not started.
Of course.
Schema files are only for defining user attributes. Operational attributes must be implemented in code and cannot be defined from a schema config file.
This particular attribute is already implemented in the ppolicy overlay so there is no need to define it again anyway.
should I upgrade openldap to the last ver ?
That would make no difference here, but it's always best to stay up to date.