On Mon, Nov 19, 2012 at 10:46 AM, jeevan kc jeev_biz@hotmail.com wrote:
Thanks . But we have like more than 25k users on the server. Doing that individually would be tedious. Is there any other way ?
How about a script of some sorts? Something on the lines of:
ask ldap for the userlist (using ldapsearch) for each user Add objectClass: pwdPolicy (using ldapmodify) done
Sent from my iPhone
On Nov 19, 2012, at 10:42 AM, "Mauricio Tavares" raubvogel@gmail.com wrote:
On Mon, Nov 19, 2012 at 10:14 AM, jeevan kc jeev_biz@hotmail.com wrote:
Hello
I want to enable password policy on Openldap 2.4.30(to all users. I see that the ppolicy.ldif and ppolicy.schema are listed under /usr/local/etc/openldap/schema but are not present on /usr/local/etc/openldap/slapd.d/cn=config folder. So do I need to add the policy.ldif to the cn=config folder ? Is there like specific procedure to do that or can I add manually with ldapadd ? Also how do I enable that schema to all users ? Please help.
Jeevan
If you have the policy as a diff, you could add it by saying
ldapadd -Y EXTERNAL -H ldapi:/// -f /path/to/ppolicy.ldif
Then you need to ldapmodify each user, adding something like
objectClass: pwdPolicy
to each of them.
This is off the top of my head, so do verify before doing exciting thingies to your server. ;)
Or how about creating an OU=policies under the root DIT and including theseObjectclass: personObjectclass: pwdpolicyObjectclass: topcn:defaultpwdAttribute:2.5.4.35sn:summypwdlockout:TruepwdMaxfailure:3 That was just a sample. All I wanted to show was creating an OU and mentioning cn=default. Does that take care of all users? Thanks
Jeevan
Date: Mon, 19 Nov 2012 11:01:24 -0500 Subject: Re: Password policy From: raubvogel@gmail.com To: jeev_biz@hotmail.com CC: openldap-technical@openldap.org
On Mon, Nov 19, 2012 at 10:46 AM, jeevan kc jeev_biz@hotmail.com wrote:
Thanks . But we have like more than 25k users on the server. Doing that individually would be tedious. Is there any other way ?
How about a script of some sorts? Something on the lines of:ask ldap for the userlist (using ldapsearch) for each user Add objectClass: pwdPolicy (using ldapmodify) done
Sent from my iPhone
On Nov 19, 2012, at 10:42 AM, "Mauricio Tavares" raubvogel@gmail.com wrote:
On Mon, Nov 19, 2012 at 10:14 AM, jeevan kc jeev_biz@hotmail.com wrote:
Hello
I want to enable password policy on Openldap 2.4.30(to all users. I see that the ppolicy.ldif and ppolicy.schema are listed under /usr/local/etc/openldap/schema but are not present on /usr/local/etc/openldap/slapd.d/cn=config folder. So do I need to add the policy.ldif to the cn=config folder ? Is there like specific procedure to do that or can I add manually with ldapadd ? Also how do I enable that schema to all users ? Please help.
Jeevan
If you have the policy as a diff, you could add it by saying
ldapadd -Y EXTERNAL -H ldapi:/// -f /path/to/ppolicy.ldif
Then you need to ldapmodify each user, adding something like
objectClass: pwdPolicy
to each of them.
This is off the top of my head, so do verify before doing exciting thingies to your server. ;)
Le 19/11/2012 17:24, jeevan kc a écrit :
Or how about creating an OU=policies under the root DIT and including these Objectclass: person
This class is perfectly useless here
Objectclass: pwdpolicy Objectclass: top cn:default pwdAttribute:2.5.4.35 sn:summy pwdlockout:True pwdMaxfailure:3
That was just a sample. All I wanted to show was creating an OU and mentioning cn=default. Does that take care of all users? Thanks
No, you need to define ppolicy_default configuration directive for this. See slapo-ppolicy man page for details.
Guillaume Rousse wrote:
Le 19/11/2012 17:24, jeevan kc a écrit :
Or how about creating an OU=policies under the root DIT and including these Objectclass: person
This class is perfectly useless here
Do you mean objectclass: person? It's needed. Otherwise..
Objectclass: pwdpolicy Objectclass: top cn:default pwdAttribute:2.5.4.35 sn:summy pwdlockout:True pwdMaxfailure:3
..one would not be able to 1. use *auxiliary* object class 'pwdpolicy' and 2. set attribute 'cn' in the entry.
(I usually use structural objectClass 'applicationProcess' along with 'pwdpolicy').
Ciao, Michael.
Le 23/11/2012 17:04, Michael Ströder a écrit :
Guillaume Rousse wrote:
Le 19/11/2012 17:24, jeevan kc a écrit :
Or how about creating an OU=policies under the root DIT and including these Objectclass: person
This class is perfectly useless here
Do you mean objectclass: person? It's needed. Otherwise..
Objectclass: pwdpolicy Objectclass: top cn:default pwdAttribute:2.5.4.35 sn:summy pwdlockout:True pwdMaxfailure:3
..one would not be able to
- use *auxiliary* object class 'pwdpolicy' and
- set attribute 'cn' in the entry.
(I usually use structural objectClass 'applicationProcess' along with 'pwdpolicy').
Indeed, you need a structural object class. But Person is definitively not a good idea, unless you want to blur the issue more than needed. I personaly use organizationalRole for this purpose.
openldap-technical@openldap.org
-
Guillaume Rousse -
jeevan kc -
Mauricio Tavares -
Michael Ströder