Hello,
I am trying to apply per domain password policy. [At some point, it seems, these scripts worked for me, but I must have messed something up either in the setup or the scripts.]
I managed to load ppolicy.la and from lsof(8), I can see it. Now, I want to be able to turn password policy on each domain.
I have a simple script invoked as: $sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ppolicy.ldif The ppolicy.ldif is: dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyDefault: cn=ppolicy,ou=policies,dc=example,dc=com olcPPolicyUseLockout: TRUE olcPPolicyHashCleartext: TRUE
When I try to add the online configuration, I get: SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: User Schema load failed for attribute "pwdAttribute". Error code 17: attribute type undefined
I also have an LDIF for default policy, added as: $ldapadd -x -D cn=admin,dc=example,dc=com -W -f default_ppolicy.ldif
It contains: dn: ou=policies,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: policies
dn: cn=ppolicy,ou=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicyChecker objectClass: pwdPolicy cn: ppolicy pwdAttribute: userPassword pwdInHistory: 8 pwdMinLength: 8 pwdMaxFailure: 3 pwdFailureCountInterval: 1800 pwdCheckQuality: 0 pwdMustChange: TRUE pwdGraceAuthNLimit: 0 pwdMaxAge: 7776000 pwdExpireWarning: 1209600 pwdLockoutDuration: 900 pwdLockout: TRUE
When I try to add default_ppolicy.ldif, I get: adding new entry "ou=policies,dc=example,dc=com" adding new entry "cn=ppolicy,ou=policies,dc=example,dc=com" ldap_add: Invalid syntax (21) additional info: objectClass: value #2 invalid per syntax
It seems that OU=policies is created, but CN=ppolicy is not created. Is that right? I have four (4) values for objectClass. How can I find out which one is triggering the error?
Any suggestions where I should start looking?!
Thank you,
Igor Shmukler