I've a few accounts that I was testing with - after I set the password /after/ ppolicy
was in place, things work as expected. Password history, # grace auths, etc.
However, for those accounts existing before the ppolicy was in place, no enforcement -
there's no password change date set, nor any other policy items added - other than the
One note: early on in the old ldap installations use, inetorgperson wasn't a class on
accounts. Is that necessary for pwdpolicy? Would that make everything else work for the
I'll send an example LDIF of a test account and a legacy account later.
Chris Jacobs, Jr. Unix System Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
----- Original Message -----
From: Tyler Gates <tgates81(a)gmail.com>
To: Chris Jacobs
Cc: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
Sent: Tue Mar 23 18:55:21 2010
Subject: Re: Tips when implementing password policies
pwdPolicySubentry should work -it's honored in place of the default
password policy which is set in your config. If it doesn't work than
likely your config lacks the necessary directives to use ppolicy.
As far as enforcement pwdMustchange can be set in your policy which
looks at the entrys pwdReset value. If both are true then ldap will
allow a limited set of rights on the dn enough to bind as tls or ssl
and change his or her password.
On Mar 23, 2010, at 5:19 PM, Chris Jacobs <Chris.Jacobs(a)apollogrp.edu>
I'm upgrading our LDAP infrastructure (it'll be a cut-over) and I've
noticed that after adding pwdPolicySubentry to a user's account, it
doesn't seem to have any affect.
This user hasn't /ever/ reset their password, and the user's account
doesn't show any password policy grace period usage after the test.
The pwdPolicySubentry is still the only password policy related
entry on his account.
This suggests that I'll need to force people to change their
password's at some point.
1) Is what I'm seeing normal/expected?
2) What method(s) have you used to force people to change their
password - beyond asking them?
Chris Jacobs, Jr. Linux Administrator, Information Technology &
Apollo Group | Apollo Marketing | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
This message is private and confidential. If you have received it in
error, please notify the sender and remove it from your system.
This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.