sorry, your wording does not result in any valid interpretation on my side.
Especially you obfuscated too much.
configuration, slapd logs and check the command-lines more carefully.
Ciao, Michael.
Michael,
I modified the command and was able to implement the password policy using:
# ldapadd -x -W -D cn=****,dc=****,dc=**** -f passwordPolicy.ldif
Verified the policy was applied:
# ldapsearch -x -D cn=****,dc=****,dc=**** -H ldap:// -b dc=****,dc=**** -W
# real, People, ****.****
dn: uid=real,ou=People,dc=****,dc=****
uid: real
homeDirectory: /home/real
memberUid: real
…
…
# policies, ****.****
dn: cn=policies,dc=cluster,dc=sec312
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn:: cG9saWNpZXMg
sn: policies
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 3600
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: FALSE
# search result
search: 2
result: 0 Success
# numResponses: 598
# numEntries: 597
TEST: I reset the password for user ‘real’ an ldap client using passwd, the password was successfully changed. However, the new user password did not change on the ldap server. It appears that the policy is not updating the ou where my user ‘real’ belongs
to.
Maybe it’s got to do with my ldap tree and where I configured my password policy (cn=policies), this is how it is now:
dc=****, dc=****
cn=policies
…
…
ou=People
…
…
Thank you,
Liz
Date: Thursday, September 24, 2015 at 11:42 AM
Subject: Re: Allow users to change ldap password with passwd
Real, Elizabeth (392K) wrote:
I replaced ou with cn, tried loading the ldif and got this message:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=policies,dc=*****,dc=*****"
ldap_add: Insufficient access (50)
additional info: no write access to parent
I guess you want to use another bind-DN with -D when writing to your normal DB
backend / naming context dc=*****,dc=*****.
And defining -Y and -D together does not make sense. Please consult the man
page and look at various bind methods more closely.
Ciao, Michael.
Michael Ströder Klauprechtstr. 11