I read the entry in Chapter 6 http://www.zytrax.com/books/ldap/ch6/ppolicy.html#examples regarding setting the Password Policy Control.
I have installed OpenLDAP through Cygwin. OpenLDAP is version 2.3.43
I created my db and included the Password Policy control schema, but I am getting the following error when I try to load my default and user policies:
$ ldapadd -H ldap://localhost:666 -x -D "cn=Manager,dc=zes_example,dc=com" -w secret -f /etc/openldap/data/ppolicy.ldif adding new entry "ou=pwdpolicies,dc=zes_example,dc=com"
adding new entry "cn=default,ou=pwdpolicies,dc=zes_example,dc=com" ldapadd: Object class violation (65) additional info: no structural object class provided
Any idea? Do I need to add the password policy (ldif file) before I give the directive in slapd.conf?
----------------------------------------- The policy.ldif:
dn: ou=pwdpolicies,dc=zes_example,dc=com ou: pwdpolicies description: All password Policies objectclass: organizationalunit
# Default Password Policy dn: cn=default,ou=pwdpolicies,dc=zes_example,dc=com objectClass: pwdPolicy cn: default # User can change his/her password pwdAllowUserChange: TRUE # Return warning to bind attempt (seconds) -- 3 days pwdExpireWarning: 259200 # Interval in seconds to reset failure pwd count pwdFailureCountInterval: 100 # Do not allow to bind on expired passwords pwdGraceAuthNLimit: 0 # Reject any password changes in this list pwdInHistory: 3 # Lock out account when user tries more than x attempts using invalid password pwdLockout: TRUE # Do not allow the system to unlock the account pwdLockoutDuration: 0 # Consecutinve # of failure attempts pwdMaxFailure: 5 # How long the password lasts before user has to change it (seconds) -- 90 days pwdMaxAge: 77760000 # Password length pwdMinLength: 6
The commands in my slapd.conf are:
... include /etc/openldap/schema/ppolicy.schema ... (not usre if I need the next line) loadmodule ppolicy.la
# invokes password policies for this DIT only overlay ppolicy # Default ppolicy ppolicy_default "cn=default,ou=pwdpolicies,dc=zes_example,dc=com" # Some ppolicy directives ppolicy_use_lockout
Gisella Saavedra Sr. Software Engineer gsaavedra@zebra.commailto:gsaavedra@zebra.com
[cid:image001.gif@01CA8D67.CCDB6A40]
1000 Broadway, Suite 150, Oakland, CA 94607 | T+1 510 267 5123 T Main+1 510 267 5000 F+1 510 267 5100 | http://www.zebra.com/zes
________________________________ - CONFIDENTIAL-
This email and any files transmitted with it are confidential, and may also be legally privileged. If you are not the intended recipient, you may not review, use, copy, or distribute this message. If you receive this email in error, please notify the sender immediately by reply email and then delete this email.
Hello,
Have you trying adding a "objectClass: top" on your entry?
2010/1/5 Saavedra, Gisella gsaavedra@zebra.com
I read the entry in Chapter 6
http://www.zytrax.com/books/ldap/ch6/ppolicy.html#examples
regarding setting the Password Policy Control.
I have installed OpenLDAP through Cygwin. OpenLDAP is version 2.3.43
I created my db and included the Password Policy control schema, but I am getting the following error when I try to load my default and user policies:
$ ldapadd -H ldap://localhost:666 -x -D "cn=Manager,dc=zes_example,dc=com" -w secret -f /etc/openldap/data/ppolicy.ldif
adding new entry "ou=pwdpolicies,dc=zes_example,dc=com"
adding new entry "cn=default,ou=pwdpolicies,dc=zes_example,dc=com"
ldapadd: Object class violation (65)
additional info: no structural object class providedAny idea? Do I need to add the password policy (ldif file) before I give the directive in slapd.conf?
The policy.ldif:
dn: ou=pwdpolicies,dc=zes_example,dc=com
ou: pwdpolicies
description: All password Policies
objectclass: organizationalunit
# Default Password Policy
dn: cn=default,ou=pwdpolicies,dc=zes_example,dc=com
objectClass: pwdPolicy
cn: default
# User can change his/her password
pwdAllowUserChange: TRUE
# Return warning to bind attempt (seconds) -- 3 days
pwdExpireWarning: 259200
# Interval in seconds to reset failure pwd count
pwdFailureCountInterval: 100
# Do not allow to bind on expired passwords
pwdGraceAuthNLimit: 0
# Reject any password changes in this list
pwdInHistory: 3
# Lock out account when user tries more than x attempts using invalid password
pwdLockout: TRUE
# Do not allow the system to unlock the account
pwdLockoutDuration: 0
# Consecutinve # of failure attempts
pwdMaxFailure: 5
# How long the password lasts before user has to change it (seconds) -- 90 days
pwdMaxAge: 77760000
# Password length
pwdMinLength: 6
The commands in my slapd.conf are:
…
include /etc/openldap/schema/ppolicy.schema
… (not usre if I need the next line)
loadmodule ppolicy.la
# invokes password policies for this DIT only
overlay ppolicy
# Default ppolicy
ppolicy_default "cn=default,ou=pwdpolicies,dc=zes_example,dc=com"
# Some ppolicy directives
ppolicy_use_lockout
*Gisella Saavedra *Sr. Software Engineer *gsaavedra@zebra.com*
[image: http://www.navis.com/images/spacer.gif]
1000 Broadway, Suite 150, Oakland, CA 94607 | T+1 510 267 5123 T Main+1 510 267 5000 F+1 510 267 5100 | *http://www.zebra.com/zes*
- CONFIDENTIAL-
This email and any files transmitted with it are confidential, and may also be legally privileged. If you are not the intended recipient, you may not review, use, copy, or distribute this message. If you receive this email in error, please notify the sender immediately by reply email and then delete this email.
On Tuesday, 5 January 2010 03:14:44 Saavedra, Gisella wrote:
$ ldapadd -H ldap://localhost:666 -x -D "cn=Manager,dc=zes_example,dc=com" -w secret -f /etc/openldap/data/ppolicy.ldif adding new entry "ou=pwdpolicies,dc=zes_example,dc=com"
adding new entry "cn=default,ou=pwdpolicies,dc=zes_example,dc=com" ldapadd: Object class violation (65) additional info: no structural object class provided
This is LDAP basics, nothing to do with ppolicy really, and not necessarily OpenLDAP-specific either.
[...]
# Default Password Policy dn: cn=default,ou=pwdpolicies,dc=zes_example,dc=com objectClass: pwdPolicy
pwdPolicy is an auxiliary objectclass. Besides it, you need a structural objectclass which doesn't impose any other attribute requirements, and allows the 'cn' attribute. You could use 'device' or 'organizationalRole', which should be in the default schema, or the 'namedObject' one (which is not in default schema).
For example, you could solve this by adding:
objectclass: organizationalRole
cn: default # User can change his/her password pwdAllowUserChange: TRUE # Return warning to bind attempt (seconds) -- 3 days pwdExpireWarning: 259200 # Interval in seconds to reset failure pwd count pwdFailureCountInterval: 100 # Do not allow to bind on expired passwords pwdGraceAuthNLimit: 0 # Reject any password changes in this list pwdInHistory: 3 # Lock out account when user tries more than x attempts using invalid password pwdLockout: TRUE # Do not allow the system to unlock the account pwdLockoutDuration: 0 # Consecutinve # of failure attempts pwdMaxFailure: 5 # How long the password lasts before user has to change it (seconds) -- 90 days pwdMaxAge: 77760000 # Password length pwdMinLength: 6
You could also use other existing entries (e.g. an existing container entry) to hold the password policy.
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Diego Lima -
Saavedra, Gisella