8:01 a.m.
On Mon, Nov 19, 2012 at 10:46 AM, jeevan kc <jeev_biz(a)hotmail.com> wrote:
Thanks . But we have like more than 25k users on the server. Doing
that individually would be tedious. Is there any other way ?
How about a script of some sorts? Something on the lines of:
ask ldap for the userlist (using ldapsearch)
for each user
Add objectClass: pwdPolicy (using ldapmodify)
done
Sent from my iPhone
On Nov 19, 2012, at 10:42 AM, "Mauricio Tavares" <raubvogel(a)gmail.com>
wrote:
> On Mon, Nov 19, 2012 at 10:14 AM, jeevan kc <jeev_biz(a)hotmail.com> wrote:
>> Hello
>>
>> I want to enable password policy on Openldap 2.4.30(to all users. I see that
>> the ppolicy.ldif and ppolicy.schema are listed under
>> /usr/local/etc/openldap/schema but are not present on
>> /usr/local/etc/openldap/slapd.d/cn=config folder. So do I need to add the
>> policy.ldif to the cn=config folder ? Is there like specific procedure to do
>> that or can I add manually with ldapadd ? Also how do I enable that schema
>> to all users ? Please help.
>>
>>
>> Jeevan
>
> If you have the policy as a diff, you could add it by saying
>
> ldapadd -Y EXTERNAL -H ldapi:/// -f /path/to/ppolicy.ldif
>
> Then you need to ldapmodify each user, adding something like
>
> objectClass: pwdPolicy
>
> to each of them.
>
> This is off the top of my head, so do verify before doing exciting
> thingies to your server. ;)
8:24 a.m.
New subject: Password policy
Or how about creating an OU=policies under the root DIT and including theseObjectclass:
personObjectclass: pwdpolicyObjectclass:
topcn:defaultpwdAttribute:2.5.4.35sn:summypwdlockout:TruepwdMaxfailure:3
That was just a sample. All I wanted to show was creating an OU and mentioning cn=default.
Does that take care of all users? Thanks
Jeevan
Date: Mon, 19 Nov 2012 11:01:24 -0500
Subject: Re: Password policy
From: raubvogel(a)gmail.com
To: jeev_biz(a)hotmail.com
CC: openldap-technical(a)openldap.org
On Mon, Nov 19, 2012 at 10:46 AM, jeevan kc <jeev_biz(a)hotmail.com> wrote:
> Thanks . But we have like more than 25k users on the server. Doing that individually
would be tedious. Is there any other way ?
>
How about a script of some sorts? Something on the lines of:
ask ldap for the userlist (using ldapsearch)
for each user
Add objectClass: pwdPolicy (using ldapmodify)
done
> Sent from my iPhone
>
> On Nov 19, 2012, at 10:42 AM, "Mauricio Tavares"
<raubvogel(a)gmail.com> wrote:
>
>> On Mon, Nov 19, 2012 at 10:14 AM, jeevan kc <jeev_biz(a)hotmail.com> wrote:
>>> Hello
>>>
>>> I want to enable password policy on Openldap 2.4.30(to all users. I see
that
>>> the ppolicy.ldif and ppolicy.schema are listed under
>>> /usr/local/etc/openldap/schema but are not present on
>>> /usr/local/etc/openldap/slapd.d/cn=config folder. So do I need to add the
>>> policy.ldif to the cn=config folder ? Is there like specific procedure to
do
>>> that or can I add manually with ldapadd ? Also how do I enable that schema
>>> to all users ? Please help.
>>>
>>>
>>> Jeevan
>>
>> If you have the policy as a diff, you could add it by saying
>>
>> ldapadd -Y EXTERNAL -H ldapi:/// -f /path/to/ppolicy.ldif
>>
>> Then you need to ldapmodify each user, adding something like
>>
>> objectClass: pwdPolicy
>>
>> to each of them.
>>
>> This is off the top of my head, so do verify before doing exciting
>> thingies to your server. ;)
7:17 a.m.
New subject: Password policy
Le 19/11/2012 17:24, jeevan kc a écrit :
Or how about creating an OU=policies under the root DIT and including
these
Objectclass: person
This class is perfectly useless here
Objectclass: pwdpolicy
Objectclass: top
cn:default
pwdAttribute:2.5.4.35
sn:summy
pwdlockout:True
pwdMaxfailure:3
That was just a sample. All I wanted to show was creating an OU and
mentioning cn=default. Does that take care of all users? Thanks
No, you need to
define ppolicy_default configuration directive for this.
See slapo-ppolicy man page for details.
--
BOFH excuse #141:
disks spinning backwards - toggle the hemisphere jumper.
8:04 a.m.
New subject: Password policy
Guillaume Rousse wrote:
Le 19/11/2012 17:24, jeevan kc a écrit :
> Or how about creating an OU=policies under the root DIT and including these
> Objectclass: person
This class is perfectly useless here
Do you mean objectclass: person? It's needed. Otherwise..
> Objectclass: pwdpolicy
> Objectclass: top
> cn:default
> pwdAttribute:2.5.4.35
> sn:summy
> pwdlockout:True
> pwdMaxfailure:3
..one would not be able to
1. use *auxiliary* object class 'pwdpolicy' and
2. set attribute 'cn' in the entry.
(I usually use structural objectClass 'applicationProcess' along with
'pwdpolicy').
Ciao, Michael.
3:15 a.m.
New subject: Password policy
Le 23/11/2012 17:04, Michael Ströder a écrit :
Guillaume Rousse wrote:
> Le 19/11/2012 17:24, jeevan kc a écrit :
>> Or how about creating an OU=policies under the root DIT and including these
>> Objectclass: person
> This class is perfectly useless here
Do you mean objectclass: person? It's needed. Otherwise..
>> Objectclass: pwdpolicy
>> Objectclass: top
>> cn:default
>> pwdAttribute:2.5.4.35
>> sn:summy
>> pwdlockout:True
>> pwdMaxfailure:3
..one would not be able to
1. use *auxiliary* object class 'pwdpolicy' and
2. set attribute 'cn' in the entry.
(I usually use structural objectClass 'applicationProcess' along with
'pwdpolicy').
Indeed, you need a structural object class. But Person is
definitively
not a good idea, unless you want to blur the issue more than needed. I
personaly use organizationalRole for this purpose.
--
BOFH excuse #412:
Radial Telemetry Infiltration
3952
days inactive
3967
days old
openldap-technical@openldap.org
4 comments
4 participants
participants (4)
-
Guillaume Rousse -
jeevan kc -
Mauricio Tavares -
Michael Ströder