Hi Denis,

I did following steps in order to get the password policy work, still nothing is working.

1) In my slapd.conf file added below lines:
# Password Policy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=j,dc=example,dc=com"

# ACL Entry for Password Policies
access to attrs=userPassword
        by self write
        by anonymous auth
        by * none
access to *
        by self write
        by * read
2) Loaded the password policy .ldif file into ldap by ldapadd. O/t of password policy .ldif files is:
# Creates a Policies OU (Organizational Unit)
dn: ou=Policies,dc=j,dc=cinglevue=,dc=com
objectClass: organizationalUnit
ou: Policies

# Creates a Policy object in Policies OU (Organizational Unit)
dn: cn=default,ou=Policies,dc=j,dc=cinglevue,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 3888000
pwdExpireWarning: 604800
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE


On Wednesday, 26 February 2014 8:02 PM, Dennis Leeuw <D.Leeuw@umcutrecht.nl> wrote:
Hash: SHA1

Have a look at the shadow* attributes from the shadowAccount class.
Those should help you enforcing password related stuff. For self
changes of passwords use an ACL like:
access to attrs=userPassword
        by self write
        by anonymous auth
        by * none



On 02/26/2014 11:50 AM, Saurabh Ohri wrote:
> Thanks Dennis. You ate right the problem is not related to ldap
> but was looking for help against it.
> I am able to have successful authentication from ldap on both mac
> and windows after trying 50 combinations of configuration 😄
> But finally it worked and it our effort paid.
> Thanks again and will share the information/ document soon.
> Also it would be of great help if you could share some details on
> enforcing password policies like self user password change, force
> passed change after first login etc. I did some config but it is
> not working even for Linux.
> Thanks Sam
> Sent from my iPhone
>> On 26 Feb 2014, at 4:40 pm, Dennis Leeuw <D.Leeuw@umcutrecht.nl>
>> wrote:
>>>> On 02/26/2014 05:26 AM, saurabh ohri wrote: Hi all,
>>>> I am new to openldap and i manage dto install and configure
>>>> the same. My linux client is working well but not able to
>>>> authenticate windows and mac clients.
>>>> Have been trying since past 2 days by google and other posts
>>>> but still facing issue. Any help would be highly
>>>> appreciated.
>>>> Details: using openldap-2.4.23-34 on RHEL6.5 *Client
>>>> details:* Mac 10.8.5 -- tried configuring the network account
>>>> server but it is showing RED. Error This server is not
>>>> responding. Windows 7 – tried installing GINA but it is
>>>> giving me invalid credentials error.
>>>> Configuration file on server: Password: # extended LDIF # #
>>>> LDAPv3 # base <dc=j,dc=example,dc=com> (default) with scope
>>>> subtree # filter: (objectclass=*) # requesting: ALL #
>>>> # j.example.com dn: dc=j,dc=example,dc=com objectClass: top
>>>> objectClass: dcObject objectClass: organization o: example
>>>> Organization description: example Inc DIT dc: j
>>>> # Users, j.example.com dn: ou=Users,dc=j,dc=example,dc=com
>>>> objectClass: organizationalUnit ou: Users
>>>> # Groups, j.example.com dn: ou=Groups,dc=j,dc=example,dc=com
>>>>  objectClass: organizationalUnit ou: Groups
>>>> # Admins, j.example.com dn: ou=Admins,dc=j,dc=example,dc=com
>>>>  objectClass: organizationalUnit ou: Admins
>>>> # sohri, Users, j.example.com dn:
>>>> uid=sohri,ou=Users,dc=j,dc=example,dc=com uid: sohri cn:
>>>> sohri sn: 1 objectClass: top objectClass: posixAccount
>>>> objectClass: inetOrgPerson loginShell: /bin/bash
>>>> homeDirectory: /home/sohri uidNumber: 15000 gidNumber: 10000
>>>> userPassword::
>>>> e1NTSEF9eWdkWExpZUdIT01YRytRM3ZmZWdNY3QwSmd2bFNqSkcg mail:
>>>> sam.ohri@example.com gecos: Local User
>>>> # tpearce, Users, j.example.com dn:
>>>> uid=tpearce,ou=Users,dc=j,dc=example,dc=com uid: tpearce cn:
>>>>  tpearce sn: 2 objectClass: top objectClass: posixAccount
>>>> objectClass: inetOrgPerson loginShell: /bin/bash
>>>> homeDirectory: /home/tpearce uidNumber: 15001 gidNumber:
>>>> 10000 userPassword::
>>>> e1NTSEF9eWdkWExpZUdIT01YRytRM3ZmZWdNY3QwSmd2bFNqSkc= mail:
>>>> tony.pearce@example.com gecos: local User
>>>> # ldapusers, Groups, j.example.com dn:
>>>> cn=ldapusers,ou=Groups,dc=j,dc=example,dc=com objectClass:
>>>> posixGroup objectClass: top cn: ldapusers userPassword::
>>>> e2NyeXB0fXg= gidNumber: 10000 memberUid: uid=sohri memberUid:
>>>>  uid=tpearce
>>>> # search result search: 2 result: 0 Success
>>>> # numResponses: 8 # numEntries: 7
>>>> Regards Sam
> Windows is created to work against an Active Directory system,
> meaning you have an LDAP authorization and Kerberos
> authentication. Connecting Windows to a LDAP for both is
> problematic to say the least. The easiest solution is using SAMBA
> against LDAP and make the Windows systems login against the SAMBA
> server. If you like to make it work with GINA, contact them, and to
> understand what is going on you might want to read:
> http://pig.made-it.com/win-boot-test.html No guarantees, I did my
> best to document what is happening. Hope I did it right.
> Mac OS X did once work against LDAP, I have no idea what the
> current state is. On 10.6.5 go to Preferences, Accounts. Click
> Login Options go to Account Server and click Join. Select
> OpenDirectory utility. Click LDAPv3 and click the edit button.
> Click show options, click New, type the address of your ldap
> server. Give your account credentias, pick template RFC 2307, set
> search base. And your done...
> And finaly: None of your problems is OpenLDAP related since it
> works on your Linux machine.
> Greetings,
> Dennis
>> ------------------------------------------------------------------------------
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
>> uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
>> onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken
>> en de afzender direct te informeren door het bericht te
>> retourneren. Het Universitair Medisch Centrum Utrecht is een
>> publiekrechtelijke rechtspersoon in de zin van de W.H.W. (Wet
>> Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat
>> geregistreerd bij de Kamer van Koophandel voor Midden-Nederland
>> onder nr. 30244197.
>> Denk s.v.p aan het milieu voor u deze e-mail afdrukt.
>> ------------------------------------------------------------------------------
This message may contain confidential information and is intended
>> for the addressee. If you receive this message unintentionally,
>> please do not use the contents but notify the sender immediately
>> by return e-mail. University Medical Center Utrecht is a legal
>> person by public law and is registered at the Chamber of Commerce
>> for Midden-Nederland under no. 30244197.
>> Please consider the environment before printing this e-mail.

- --
ICT Medewerker
Divisie Biomedische Genetica
UMC Utrecht
Heidelberglaan 100 STR2.126
3584 CX  Utrecht
The Netherlands
06 27744048
intern: 64048
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/