Hello,
I've got my ldap infrastructure (mirrormode masters, 2 slaves per datacenter) working fantastic (I can clear a db on a remote slave and in less than 30 seconds after startup, it'll reacquire the entire db!).
I'm now having an issue with one of the very last things: getting a password policy into effect.
When I attempt to add the 'pwdPolicySubentry' attribute to a user account, I get the error:
Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute 'pwdPolicySubentry' cannot have multiple values Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check: attribute 'pwdPolicySubentry' cannot have multiple values
I get that error in the logs whether I try to add it by hand via Apache Directory Studio, or an ldif import/modify:
dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
Here are the related slapd.conf overlay directives:
overlay ppolicy ppolicy_hash_cleartext ppolicy_use_lockout
(Notice there's no ppolicy_default set - I'm still testing this feature out before I roll it out.)
And for completeness, here's the entry that I'm attempting to add this attribute to:
dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: ChrisJ Test gidNumber: 200 homeDirectory: /home/chrisjtest sn: chrisjtest uid: chrisjtest uidNumber: 583 description: ChrisJ Test gecos: ChrisJ Test loginShell: /bin/bash shadowLastChange: 14657 userPassword:: <<snipped>>
And here's the password policy ldif:
dn: ou=policies,dc=unix,dc=aptimus,dc=net objectClass: organizationalUnit objectClass: top ou: policies
dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 172800 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 1200 pwdMaxAge: 15897600 pwdMaxFailure: 3 pwdMinLength: 8 pwdMustChange: FALSE pwdSafeModify: TRUE
When I built openldap, I enabled all overlays (I know, not the most efficient), and when I attempt to add moduleload ppolicy.la or ppolicy.so I get in the logs:
line 18 (moduleload ppolicy.la) module_load: (ppolicy.la) already present (static)
Which I'm pretty sure means it's already loaded...
Any idea as to what I'm doing wrong?
Thanks, - chris
Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations Apollo Group | Apollo Marketing | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.