Thank you for your reply.

But then how can I use this:

dn: cn=search,ou=users,ou=my_dn changetype: modify add: pwdPolicySubentry pwdPolicy: "cn=user,ou=pwpolicies,ou=my_dn"

I want to exclude user: search from default policy

From docs:

Finally the account entry for the user(s) to whom this policy applies are modified to point to the specific policy using the following LDIF fragment:

# point the users entry to the specific policy dn: cn=John Smith,ou=people,dc=example,dc=com changetype: modify add: pwdPolicySubentry pwdPolicy: "cn=user,ou=pwpolicies,dc=example,dc=com" ------------------------------------------------------------------------ ---- When I tried run it in my LDAP browser I got:

Line 4, Column 0: Unexpected line found: 'pwdPolicy: "cn=user,ou=pwpolicies,ou=my_dn"'. Line 4, Column 0: The 'add' modification operation must have at least one value specified (Attribute: 'pwdPolicySubentry'). Line 4: Unexpected end of LDIF file. The last record will not be committed. Import data complete. Elapsed time: 0:00. Entries processed: 0. Warning(s): 0, error(s): 3.

Can you please tell may be another way, how to exclude user:search from:

dn: cn=std, ou=ppolicy, ou=my_dn pwdCheckModule: check_password.so pwdMaxFailure: 6 pwdMustChange: TRUE pwdAttribute: userPassword pwdMinLength: 7 pwdSafeModify: FALSE pwdInHistory: 4 pwdGraceAuthNLimit: 3 pwdCheckQuality: 1 objectClass: pwdPolicy objectClass: top objectClass: device objectClass: pwdPolicyChecker pwdLockoutDuration: 18 pwdAllowUserChange: TRUE pwdExpireWarning: 432000 pwdLockout: TRUE pwdMaxAge: 7776000

Thank you

-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, January 21, 2011 9:36 AM To: Alexey Shalin Cc: openldap-technical@openldap.org Subject: Re: How to enable 'pwdPolicySubentry' in ppolicy.schema

Alexey Shalin wrote:

Hello,

How to enable 'pwdPolicySubentry' in ppolicy.schema, I added this

into

ppolicy.schema

Never modify the schema files distributed with OpenLDAP.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.23

   NAME 'pwdPolicySubentry'

   DESC 'The pwdPolicy subentry in effect for this object'

   EQUALITY distinguishedNameMatch

   SYNTAX 1.3.6.1.4.1.1466.115.121.1.12

   SINGLE-VALUE

   USAGE directoryOperation )

But after that my slapd do not started.

Of course.

Schema files are only for defining user attributes. Operational attributes must be implemented in code and cannot be defined from a schema config file.

This particular attribute is already implemented in the ppolicy overlay so there is no need to define it again anyway.

should I upgrade openldap to the last ver ?

That would make no difference here, but it's always best to stay up to date.