Howard, Tyler, Michael,

My apologies: I take that back. The entry is indeed on the account - and it is, in fact, a system attribute.

I will endeavor to not reply to messages at 4am in the future - a bit too quick on the /assume/ thing.

BTW: How do you identify whether an attribute will be a system attribute or not? I've plenty to learn on ldap, but even I knew to look at the schema file - and I'm not certain how one could know whether an attribute would be a system attribute.

Anyway - assuming the policy functions as expected - I'm nearly done with this beast of a one-man project.

Thanks! - chris

PS: I'd failed to reply-to-all on my previous emails. Please pardon my mailing list etiquette and use failure. :)

________________________________________ From: Chris Jacobs Sent: Monday, March 22, 2010 4:12 AM To: Howard Chu Subject: RE: attribute 'pwdPolicySubentry' cannot have multiple values

No - there's no pwdPolicySubEntry entry.

The contents of the LDAP db were built via a slapcat dump from an OpenLDAP 2.2 installation, with no ppolicy.

As you can see from the LDIF of the chrisjtest 'account' - there's no pwdPolicySubEntry currently. Apache's directory studio and slapcat agree.

- chris

________________________________________ From: Howard Chu [hyc@symas.com] Sent: Saturday, March 20, 2010 2:49 AM To: Tyler Gates Cc: Chris Jacobs; openldap-technical@openldap.org Subject: Re: attribute 'pwdPolicySubentry' cannot have multiple values

Tyler Gates wrote:

I'm pretty sure pwdPolicySubEntry requires the pwdPolicy objectClass in the target dn

No. The pwdPolicy class is for the entry that contains the policy attributes, not the entry being controlled by the policy.

although that wouldn't explain the error message...

The error message is quite clear - the pwdPolicySubentry attribute is single-valued, you can't set multiple values for it.

Are you sure the attribute doesn't already exist? It is a system attribute so depending on the browser you are using at may not appear.

That's most likely what's going on here.

On Mar 19, 2010, at 6:59 PM, Chris JacobsChris.Jacobs@apollogrp.edu wrote:

...

Hello,

I've got my ldap infrastructure (mirrormode masters, 2 slaves per datacenter) working fantastic (I can clear a db on a remote slave and in less than 30 seconds after startup, it'll reacquire the entire db!).

I'm now having an issue with one of the very last things: getting a password policy into effect.

When I attempt to add the 'pwdPolicySubentry' attribute to a user account, I get the error:

Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute 'pwdPolicySubentry' cannot have multiple values Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check: attribute 'pwdPolicySubentry' cannot have multiple values

I get that error in the logs whether I try to add it by hand via Apache Directory Studio, or an ldif import/modify:

dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net

Here are the related slapd.conf overlay directives:

overlay ppolicy ppolicy_hash_cleartext ppolicy_use_lockout

(Notice there's no ppolicy_default set - I'm still testing this feature out before I roll it out.)

And for completeness, here's the entry that I'm attempting to add this attribute to:

dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: ChrisJ Test gidNumber: 200 homeDirectory: /home/chrisjtest sn: chrisjtest uid: chrisjtest uidNumber: 583 description: ChrisJ Test gecos: ChrisJ Test loginShell: /bin/bash shadowLastChange: 14657 userPassword::<<snipped>>

And here's the password policy ldif:

dn: ou=policies,dc=unix,dc=aptimus,dc=net objectClass: organizationalUnit objectClass: top ou: policies

dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 172800 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 1200 pwdMaxAge: 15897600 pwdMaxFailure: 3 pwdMinLength: 8 pwdMustChange: FALSE pwdSafeModify: TRUE

When I built openldap, I enabled all overlays (I know, not the most efficient), and when I attempt to add moduleload ppolicy.la or ppolicy.so I get in the logs:

line 18 (moduleload ppolicy.la) module_load: (ppolicy.la) already present (static)

Which I'm pretty sure means it's already loaded...

Any idea as to what I'm doing wrong?

Thanks,

• chris

Chris Jacobs, Jr. Linux Administrator, Information Technology& Operations Apollo Group | Apollo Marketing | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu

This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.