Re: Tips when implementing password policies

I've a few accounts that I was testing with - after I set the password /after/ ppolicy was in place, things work as expected. Password history, # grace auths, etc. However, for those accounts existing before the ppolicy was in place, no enforcement - there's no password change date set, nor any other policy items added - other than the pwdpolicysubentry. One note: early on in the old ldap installations use, inetorgperson wasn't a class on accounts. Is that necessary for pwdpolicy? Would that make everything else work for the legacy accounts? I'll send an example LDIF of a test account and a legacy account later. - chris Chris Jacobs, Jr. Unix System Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs(a)apollogrp.edu ----- Original Message ----- From: Tyler Gates <tgates81(a)gmail.com&gt; To: Chris Jacobs Cc: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org&gt; Sent: Tue Mar 23 18:55:21 2010 Subject: Re: Tips when implementing password policies pwdPolicySubentry should work -it's honored in place of the default password policy which is set in your config. If it doesn't work than likely your config lacks the necessary directives to use ppolicy. As far as enforcement pwdMustchange can be set in your policy which looks at the entrys pwdReset value. If both are true then ldap will allow a limited set of rights on the dn enough to bind as tls or ssl and change his or her password. On Mar 23, 2010, at 5:19 PM, Chris Jacobs <Chris.Jacobs(a)apollogrp.edu&gt; wrote: This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.