On Tuesday, 5 January 2010 03:14:44 Saavedra, Gisella wrote:
$ ldapadd -H ldap://localhost:666 -x -D "cn=Manager,dc=zes_example,dc=com" -w secret -f /etc/openldap/data/ppolicy.ldif adding new entry "ou=pwdpolicies,dc=zes_example,dc=com"
adding new entry "cn=default,ou=pwdpolicies,dc=zes_example,dc=com" ldapadd: Object class violation (65) additional info: no structural object class provided
This is LDAP basics, nothing to do with ppolicy really, and not necessarily OpenLDAP-specific either.
[...]
# Default Password Policy dn: cn=default,ou=pwdpolicies,dc=zes_example,dc=com objectClass: pwdPolicy
pwdPolicy is an auxiliary objectclass. Besides it, you need a structural objectclass which doesn't impose any other attribute requirements, and allows the 'cn' attribute. You could use 'device' or 'organizationalRole', which should be in the default schema, or the 'namedObject' one (which is not in default schema).
For example, you could solve this by adding:
objectclass: organizationalRole
cn: default # User can change his/her password pwdAllowUserChange: TRUE # Return warning to bind attempt (seconds) -- 3 days pwdExpireWarning: 259200 # Interval in seconds to reset failure pwd count pwdFailureCountInterval: 100 # Do not allow to bind on expired passwords pwdGraceAuthNLimit: 0 # Reject any password changes in this list pwdInHistory: 3 # Lock out account when user tries more than x attempts using invalid password pwdLockout: TRUE # Do not allow the system to unlock the account pwdLockoutDuration: 0 # Consecutinve # of failure attempts pwdMaxFailure: 5 # How long the password lasts before user has to change it (seconds) -- 90 days pwdMaxAge: 77760000 # Password length pwdMinLength: 6
You could also use other existing entries (e.g. an existing container entry) to hold the password policy.
Regards, Buchan