ppolicy

List overview All Threads
Download

newer

older

Re: Re: N-Way Multi-Master...

Syncrepl Questions

Allgood, John

15 Jan 2009 15 Jan '09

5:12 a.m.

Hey Guys

I have another question in regards to using ppolicy. I have built my policy into ldap. How do I apply that policy to my existing user objects.

Thanks

John Allgood

Senior Systems Administrator

Turbo, division of OHL

2251 Jesse Jewell Pky. NE

Gainesville, GA 30507

tel: (678) 989-3051 fax: (770) 531-7878

jallgood@ohl.com mailto:jallgood@ohl.com

www.ohl.com http://www.ohl.com

Attachments:

attachment.htm (text/html — 3.3 KB)

Show replies by date

Dieter Kluenter

15 Jan 15 Jan

6:09 a.m.

Hi,

"Allgood, John" jallgood@ohl.com writes:

...

Hey Guys

I have another question in regards to using ppolicy. I have built my policy into ldap. How do I apply that policy to my existing user objects.

You either create a default rule set in slapd.conf or add a policy subentry to a user entry. Something like

dn: cn=some user,ou=users cn: some user objectclass: inetorgPerson objectclass: pwdPolicy pwdAttribute: 2.5.4.35 pwdPolicySubentry: cn=users,ou=policies ...

dn: cn=users,ou=policies cn: users objectClass: organizationalRole objectClass: pwdPolicy pwdAllowUserChange: TRUE pwdAttribute: 2.5.4.35 pwdCheckQuality: 1 pwdExpireWarning: 86400 pwdGraceAuthNLimit: 2 pwdInHistory: 6 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxAge: 250000 pwdMaxFailure: 3

-Dieter

-- Dieter Klünter | Systemberatung http://www.dpunkt.de/buecher/2104.html sip: +49.180.1555.7770535 GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E

Howard Chu

10:15 a.m.

Dieter Kluenter wrote:

...

Hi,

"Allgood, John"jallgood@ohl.com writes:

...
Hey Guys

I have another question in regards to using ppolicy. I have built my policy into ldap. How do I apply that policy to my existing user objects.

You either create a default rule set in slapd.conf or add a policy subentry to a user entry. Something like

dn: cn=some user,ou=users cn: some user objectclass: inetorgPerson objectclass: pwdPolicy pwdAttribute: 2.5.4.35 pwdPolicySubentry: cn=users,ou=policies

NO.

Where did you get this idea from?

There is no reason to set "objectclass: pwdPolicy" on the user object. Likewise, pwdAttribute does not belong there.

...

...

dn: cn=users,ou=policies cn: users objectClass: organizationalRole objectClass: pwdPolicy pwdAllowUserChange: TRUE pwdAttribute: 2.5.4.35 pwdCheckQuality: 1 pwdExpireWarning: 86400 pwdGraceAuthNLimit: 2 pwdInHistory: 6 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxAge: 250000 pwdMaxFailure: 3

-Dieter

-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

5791

Age (days ago)

5791

Last active (days ago)

openldap-technical@openldap.org

2 comments

3 participants

tags (0)

participants (3)

Allgood, John
Dieter Kluenter
Howard Chu