4:40 a.m.
Howard, Tyler, Michael,
My apologies: I take that back. The entry is indeed on the account - and it is, in fact,
a system attribute.
I will endeavor to not reply to messages at 4am in the future - a bit too quick on the
/assume/ thing.
BTW:
How do you identify whether an attribute will be a system attribute or not? I've
plenty to learn on ldap, but even I knew to look at the schema file - and I'm not
certain how one could know whether an attribute would be a system attribute.
Anyway - assuming the policy functions as expected - I'm nearly done with this beast
of a one-man project.
Thanks!
- chris
PS: I'd failed to reply-to-all on my previous emails. Please pardon my mailing list
etiquette and use failure. :)
________________________________________
From: Chris Jacobs
Sent: Monday, March 22, 2010 4:12 AM
To: Howard Chu
Subject: RE: attribute 'pwdPolicySubentry' cannot have multiple values
No - there's no pwdPolicySubEntry entry.
The contents of the LDAP db were built via a slapcat dump from an OpenLDAP 2.2
installation, with no ppolicy.
As you can see from the LDIF of the chrisjtest 'account' - there's no
pwdPolicySubEntry currently. Apache's directory studio and slapcat agree.
- chris
________________________________________
From: Howard Chu [hyc(a)symas.com]
Sent: Saturday, March 20, 2010 2:49 AM
To: Tyler Gates
Cc: Chris Jacobs; openldap-technical(a)openldap.org
Subject: Re: attribute 'pwdPolicySubentry' cannot have multiple values
Tyler Gates wrote:
I'm pretty sure pwdPolicySubEntry requires the pwdPolicy
objectClass
in the target dn
No. The pwdPolicy class is for the entry that contains the policy attributes,
not the entry being controlled by the policy.
although that wouldn't explain the error message...
The error message is quite clear - the pwdPolicySubentry attribute is
single-valued, you can't set multiple values for it.
Are you sure the attribute doesn't already exist? It is a system
attribute so depending on the browser you are using at may not appear.
That's most likely what's going on here.
On Mar 19, 2010, at 6:59 PM, Chris
Jacobs<Chris.Jacobs(a)apollogrp.edu>
wrote:
> Hello,
>
> I've got my ldap infrastructure (mirrormode masters, 2 slaves per
> datacenter) working fantastic (I can clear a db on a remote slave
> and in less than 30 seconds after startup, it'll reacquire the
> entire db!).
>
> I'm now having an issue with one of the very last things: getting a
> password policy into effect.
>
> When I attempt to add the 'pwdPolicySubentry' attribute to a user
> account, I get the error:
>
> Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry
> (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute
> 'pwdPolicySubentry' cannot have multiple values
> Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check:
> attribute 'pwdPolicySubentry' cannot have multiple values
>
> I get that error in the logs whether I try to add it by hand via
> Apache Directory Studio, or an ldif import/modify:
>
> dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
> changetype: modify
> add: pwdPolicySubentry
> pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
>
> Here are the related slapd.conf overlay directives:
>
> overlay ppolicy
> ppolicy_hash_cleartext
> ppolicy_use_lockout
>
> (Notice there's no ppolicy_default set - I'm still testing this
> feature out before I roll it out.)
>
> And for completeness, here's the entry that I'm attempting to add
> this attribute to:
>
> dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> cn: ChrisJ Test
> gidNumber: 200
> homeDirectory: /home/chrisjtest
> sn: chrisjtest
> uid: chrisjtest
> uidNumber: 583
> description: ChrisJ Test
> gecos: ChrisJ Test
> loginShell: /bin/bash
> shadowLastChange: 14657
> userPassword::<<snipped>>
>
> And here's the password policy ldif:
>
> dn: ou=policies,dc=unix,dc=aptimus,dc=net
> objectClass: organizationalUnit
> objectClass: top
> ou: policies
>
> dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> cn: default
> pwdAttribute: userPassword
> pwdAllowUserChange: TRUE
> pwdExpireWarning: 172800
> pwdFailureCountInterval: 0
> pwdGraceAuthNLimit: 0
> pwdInHistory: 10
> pwdLockout: TRUE
> pwdLockoutDuration: 1200
> pwdMaxAge: 15897600
> pwdMaxFailure: 3
> pwdMinLength: 8
> pwdMustChange: FALSE
> pwdSafeModify: TRUE
>
> When I built openldap, I enabled all overlays (I know, not the most
> efficient), and when I attempt to add moduleload ppolicy.la or
> ppolicy.so I get in the logs:
>
> line 18 (moduleload ppolicy.la)
> module_load: (ppolicy.la) already present (static)
>
> Which I'm pretty sure means it's already loaded...
>
> Any idea as to what I'm doing wrong?
>
> Thanks,
> - chris
>
> Chris Jacobs, Jr. Linux Administrator, Information Technology&
> Operations
> Apollo Group | Apollo Marketing | Aptimus, Inc.
> 2001 6th Ave | Ste 3200 | Seattle, WA 98121
> phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
> email: chris.jacobs(a)apollogrp.edu
>
>
> This message is private and confidential. If you have received it in
> error, please notify the sender and remove it from your system.
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.
3:15 a.m.
New subject: attribute 'pwdPolicySubentry' cannot have multiple values
On Monday, 22 March 2010 12:40:47 Chris Jacobs wrote:
Howard, Tyler, Michael,
My apologies: I take that back. The entry is indeed on the account - and
it is, in fact, a system attribute.
I will endeavor to not reply to messages at 4am in the future - a bit too
quick on the /assume/ thing.
BTW:
How do you identify whether an attribute will be a system attribute or not?
I've plenty to learn on ldap, but even I knew to look at the schema file
- and I'm not certain how one could know whether an attribute would be a
system attribute.
The "USAGE directoryOperation" is the key:
[bgmilne@tiger ~]$ ldapsearch -x -s base -b cn=subschema attributetypes|perl
-p0e 's/\n //g'|grep pwdPolicySubentry
attributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC
'The pwdPolicy subentry in effect for this object' EQUALITY
distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE USAGE
directoryOperation )
On an existing entry, you can ask for only the operational attributes with the
'+' modifier, e.g.:
[bgmilne@tiger ~]$ ldapsearch -x -LLL uid=bgmilne '+'
dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
structuralObjectClass: inetOrgPerson
entryUUID: 8b74bea0-f20d-101e-8cdf-6105b6f2f478
creatorsName: uid=account admin,ou=system accounts,dc=ranger,dc=dnsailas,dc=co
m
createTimestamp: 19960203002836Z
pwdPolicySubentry: cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=co
m
pwdChangedTime: 20100319092937Z
entryCSN: 20100323080111.520646Z#000000#003#000000
modifiersName: cn=manager,dc=ranger,dc=dnsalias,dc=com
modifyTimestamp: 20100323080111Z
entryDN: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
Regards,
Buchan
4481
days inactive
4482
days old
openldap-technical@openldap.org
1 comments
2 participants
participants (2)
-
Buchan Milne -
Chris Jacobs