Hello I want to enable password policy on Openldap 2.4.30(to all users. I see that the ppolicy.ldif and ppolicy.schema are listed under /usr/local/etc/openldap/schema but are not present on /usr/local/etc/openldap/slapd.d/cn=config folder. So do I need to add the policy.ldif to the cn=config folder ? Is there like specific procedure to do that or can I add manually with ldapadd ? Also how do I enable that schema to all users ? Please help. Jeevan
On Mon, Nov 19, 2012 at 10:14 AM, jeevan kc jeev_biz@hotmail.com wrote:
Hello
I want to enable password policy on Openldap 2.4.30(to all users. I see that the ppolicy.ldif and ppolicy.schema are listed under /usr/local/etc/openldap/schema but are not present on /usr/local/etc/openldap/slapd.d/cn=config folder. So do I need to add the policy.ldif to the cn=config folder ? Is there like specific procedure to do that or can I add manually with ldapadd ? Also how do I enable that schema to all users ? Please help.
Jeevan
If you have the policy as a diff, you could add it by saying
ldapadd -Y EXTERNAL -H ldapi:/// -f /path/to/ppolicy.ldif
Then you need to ldapmodify each user, adding something like
objectClass: pwdPolicy
to each of them.
This is off the top of my head, so do verify before doing exciting thingies to your server. ;)
Le 19/11/2012 16:42, Mauricio Tavares a écrit :
Then you need to ldapmodify each user, adding something like
objectClass: pwdPolicy
to each of them.
That's incorrect.
The pwdPolicy object is a container for defining a policy, not for marking another object as being subject to such a policy. You don't need to modify individual users objects, unless you want them to use another policy than the default one.
On Mon, Nov 19, 2012 at 10:57 AM, Guillaume Rousse guillomovitch@gmail.com wrote:
Le 19/11/2012 16:42, Mauricio Tavares a écrit :
Then you need to ldapmodify each user, adding something like
objectClass: pwdPolicy
to each of them.
That's incorrect.
The pwdPolicy object is a container for defining a policy, not for marking another object as being subject to such a policy. You don't need to modify individual users objects, unless you want them to use another policy than the default one.
I stand corrected! That should teach me not to reply to questions relying on my vague memory! :)
-- BOFH excuse #452:
Somebody ran the operating system through a spelling checker.
Le 19/11/2012 16:14, jeevan kc a écrit :
Hello
I want to enable password policy on Openldap 2.4.30(to all users. I see that the ppolicy.ldif and ppolicy.schema are listed under /usr/local/etc/openldap/schema but are not present on /usr/local/etc/openldap/slapd.d/cn=config folder. So do I need to add the policy.ldif to the cn=config folder ? Is there like specific procedure to do that or can I add manually with ldapadd ? Also how do I enable that schema to all users ? Please help.
You don't enable a schema for specific users, you just load it in server memory.
The rest of your questions is more related to the use of dynamic configuration in general, rather than specific ppolicy configuration.
On Mon, Nov 19, 2012 at 03:14:42PM +0000, jeevan kc wrote:
I want to enable password policy on Openldap 2.4.30(to all users. I see that the ppolicy.ldif and ppolicy.schema are listed under /usr/local/etc/openldap/ schema but are not present on /usr/local/etc/openldap/slapd.d/cn=config folder. So do I need to add the policy.ldif to the cn=config folder ? Is there like specific procedure to do that or can I add manually with ldapadd ? Also how do I enable that schema to all users ? Please help.
The Admin Guide is a good place to start:
http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
To get the schema into your config, you should include it. e.g if using slapd.conf you need a line like this in the global section:
include /usr/local/etc/openldap/schema/ppolicy.schema
Now in the database section holding your user entries:
database hdb suffix "dc=dir,dc=example,dc=org" directory "/var/lib/ldap/db" ... overlay ppolicy ppolicy_default "cn=Password Policy,dc=dir,dc=example,dc=org" ppolicy_hash_cleartext
It is important that the default policy entry is in the same backend DB as the users that it will control (ITS#7262).
Your actual policy can then be loaded from an LDIF file, e.g.:
# Default password policy # Applies to userPassword (2.5.4.35) # dn: cn=Password Policy,dc=dir,dc=example,dc=org" objectClass: organizationalRole objectClass: pwdPolicy cn: Password Policy description: The default password policy pwdAttribute: 2.5.4.35 pwdLockout: TRUE pwdAllowUserChange: TRUE pwdMinLength: 9
It will apply to all users unless you place an explicit policy link in the pwdPolicySubEntry attribute of the user entry to override it.
Andrew
openldap-technical@openldap.org
-
Andrew Findlay -
Guillaume Rousse -
jeevan kc -
Mauricio Tavares