Thanks for the tip. I added the pwdPolicySubentry to one user but it did not work, the attribute is not listed for the user.
I read that this attribute has to be enabled in the ppolicy schema?? I looked at my ppolicy schema which is located here: /etc/openldap/slapd.d/cn=config/cn=schema/cn={3}ppolicy.ldif HOWEVER I did not find pwdPolicySubentry.
What version of openldap is your suggestion based of? I’m running v2.4.39.
Thanks, Liz
From: Craig White <CWhite@skytouchtechnology.commailto:CWhite@skytouchtechnology.com> Date: Monday, October 5, 2015 at 2:41 PM To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov>, Michael Ströder <michael@stroeder.commailto:michael@stroeder.com>, "openldap-technical@openldap.orgmailto:openldap-technical@openldap.org" <openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Subject: RE: Allow users to change ldap password with passwd
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Real, Elizabeth (392K) Sent: Monday, October 05, 2015 1:18 PM To: Michael Ströder; openldap-technical@openldap.orgmailto:openldap-technical@openldap.org Subject: Re: Allow users to change ldap password with passwd
I have reinstalled openldap and applied slapo-ppolicy carefully looking at man pages and the configuration.
How do I then apply this to existing openldap accounts?
Thank you, Liz
You need to have a ‘pwdPolicySubentry’ attribute assigned to each user and the value for that attribute would have to be a valid DN of the password policy itself.
For example, below is what I used to add password policy recently – fix as needed, YMMV
#!/bin/bash # # assign password policy to LDAP users for USER in `cat users`; do ldapmodify -x -D cn=rootbinddn,dc=example,dc=com -w $SOME_PASSWORD <<! dn: uid=$USER,ou=people,dc=example,dc=com changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=personnelpp,ou=Policies,dc=example,dc=com ! Done
Craig