On Thursday 05 June 2008 21:42:57 Hallvard B Furuseth wrote:
Jeroen van Aart writes:
I know about the password policy. It's a bit problematic to implement into the existing system. The main issue I remember is that I wanted to implement the policy for select groups, ou=People for example, but NOT ou=FTPusers or ou=Virtual since those accounts can't readily change the password. I couldn't find a way to do that.
For that particular proble, if by "groups" you mean LDAP subtrees: You can put ou=People in a separate database in slapd.conf and mark it as "subordinate" of its parent database so they'll be glued together and act as one database. Though since you mention synchronisation, there were or are some bugs with combining syncrepl with the glue overlay which "subordinate" makes use of. The latest 2.4.* releases including the upcoming 2.4.10 have a number of syncrepl fixes.
Or, you can have one default policy, and override it (by setting the pwdPolicySubentry to the other policy) on all the entries which should not use the default policy. Which one you make the default, you will have to decide.
Regards, Buchan