6:14 p.m.
I read the entry in Chapter 6
http://www.zytrax.com/books/ldap/ch6/ppolicy.html#examples
regarding setting the Password Policy Control.
I have installed OpenLDAP through Cygwin. OpenLDAP is version 2.3.43
I created my db and included the Password Policy control schema, but I am getting the
following error when I try to load my default and user policies:
$ ldapadd -H ldap://localhost:666 -x -D "cn=Manager,dc=zes_example,dc=com" -w
secret -f /etc/openldap/data/ppolicy.ldif
adding new entry "ou=pwdpolicies,dc=zes_example,dc=com"
adding new entry "cn=default,ou=pwdpolicies,dc=zes_example,dc=com"
ldapadd: Object class violation (65)
additional info: no structural object class provided
Any idea? Do I need to add the password policy (ldif file) before I give the directive in
slapd.conf?
-----------------------------------------
The policy.ldif:
dn: ou=pwdpolicies,dc=zes_example,dc=com
ou: pwdpolicies
description: All password Policies
objectclass: organizationalunit
# Default Password Policy
dn: cn=default,ou=pwdpolicies,dc=zes_example,dc=com
objectClass: pwdPolicy
cn: default
# User can change his/her password
pwdAllowUserChange: TRUE
# Return warning to bind attempt (seconds) -- 3 days
pwdExpireWarning: 259200
# Interval in seconds to reset failure pwd count
pwdFailureCountInterval: 100
# Do not allow to bind on expired passwords
pwdGraceAuthNLimit: 0
# Reject any password changes in this list
pwdInHistory: 3
# Lock out account when user tries more than x attempts using invalid password
pwdLockout: TRUE
# Do not allow the system to unlock the account
pwdLockoutDuration: 0
# Consecutinve # of failure attempts
pwdMaxFailure: 5
# How long the password lasts before user has to change it (seconds) -- 90 days
pwdMaxAge: 77760000
# Password length
pwdMinLength: 6
The commands in my slapd.conf are:
...
include /etc/openldap/schema/ppolicy.schema
... (not usre if I need the next line)
loadmodule ppolicy.la
# invokes password policies for this DIT only
overlay ppolicy
# Default ppolicy
ppolicy_default "cn=default,ou=pwdpolicies,dc=zes_example,dc=com"
# Some ppolicy directives
ppolicy_use_lockout
Gisella Saavedra
Sr. Software Engineer
gsaavedra@zebra.com<mailto:gsaavedra@zebra.com>
[cid:image001.gif@01CA8D67.CCDB6A40]
1000 Broadway, Suite 150, Oakland, CA 94607 | T+1 510 267 5123 T Main+1 510 267 5000
F+1 510 267 5100 | http://www.zebra.com/zes
________________________________
- CONFIDENTIAL-
This email and any files transmitted with it are confidential, and may also be legally
privileged. If you are not the intended recipient, you may not review, use, copy, or
distribute this message. If you receive this email in error, please notify the sender
immediately by reply email and then delete this email.
4:36 a.m.
Hello,
Have you trying adding a "objectClass: top" on your entry?
2010/1/5 Saavedra, Gisella <gsaavedra(a)zebra.com>
I read the entry in Chapter 6
http://www.zytrax.com/books/ldap/ch6/ppolicy.html#examples
regarding setting the Password Policy Control.
I have installed OpenLDAP through Cygwin. OpenLDAP is version 2.3.43
I created my db and included the Password Policy control schema, but I am
getting the following error when I try to load my default and user policies:
$ ldapadd -H ldap://localhost:666 -x -D "cn=Manager,dc=zes_example,dc=com"
-w secret -f /etc/openldap/data/ppolicy.ldif
adding new entry "ou=pwdpolicies,dc=zes_example,dc=com"
adding new entry "cn=default,ou=pwdpolicies,dc=zes_example,dc=com"
ldapadd: Object class violation (65)
additional info: no structural object class provided
Any idea? Do I need to add the password policy (ldif file) before I give
the directive in slapd.conf?
-----------------------------------------
The policy.ldif:
dn: ou=pwdpolicies,dc=zes_example,dc=com
ou: pwdpolicies
description: All password Policies
objectclass: organizationalunit
# Default Password Policy
dn: cn=default,ou=pwdpolicies,dc=zes_example,dc=com
objectClass: pwdPolicy
cn: default
# User can change his/her password
pwdAllowUserChange: TRUE
# Return warning to bind attempt (seconds) -- 3 days
pwdExpireWarning: 259200
# Interval in seconds to reset failure pwd count
pwdFailureCountInterval: 100
# Do not allow to bind on expired passwords
pwdGraceAuthNLimit: 0
# Reject any password changes in this list
pwdInHistory: 3
# Lock out account when user tries more than x attempts using invalid
password
pwdLockout: TRUE
# Do not allow the system to unlock the account
pwdLockoutDuration: 0
# Consecutinve # of failure attempts
pwdMaxFailure: 5
# How long the password lasts before user has to change it (seconds) -- 90
days
pwdMaxAge: 77760000
# Password length
pwdMinLength: 6
The commands in my slapd.conf are:
…
include /etc/openldap/schema/ppolicy.schema
… (not usre if I need the next line)
loadmodule ppolicy.la
# invokes password policies for this DIT only
overlay ppolicy
# Default ppolicy
ppolicy_default "cn=default,ou=pwdpolicies,dc=zes_example,dc=com"
# Some ppolicy directives
ppolicy_use_lockout
*Gisella Saavedra
*Sr. Software Engineer
*gsaavedra(a)zebra.com*
[image: http://www.navis.com/images/spacer.gif]
1000 Broadway, Suite 150, Oakland, CA 94607 | T+1 510 267 5123 T Main+1
510 267 5000 F+1 510 267 5100 | *http://www.zebra.com/zes*
------------------------------
- CONFIDENTIAL-
This email and any files transmitted with it are confidential, and may also
be legally privileged. If you are not the intended recipient, you may not
review, use, copy, or distribute this message. If you receive this email in
error, please notify the sender immediately by reply email and then delete
this email.
--
Diego Lima
5:03 a.m.
On Tuesday, 5 January 2010 03:14:44 Saavedra, Gisella wrote:
$ ldapadd -H ldap://localhost:666 -x -D
"cn=Manager,dc=zes_example,dc=com"
-w secret -f /etc/openldap/data/ppolicy.ldif adding new entry
"ou=pwdpolicies,dc=zes_example,dc=com"
adding new entry "cn=default,ou=pwdpolicies,dc=zes_example,dc=com"
ldapadd: Object class violation (65)
additional info: no structural object class provided
This is LDAP basics, nothing to do with ppolicy really, and not necessarily
OpenLDAP-specific either.
[...]
# Default Password Policy
dn: cn=default,ou=pwdpolicies,dc=zes_example,dc=com
objectClass: pwdPolicy
pwdPolicy is an auxiliary objectclass. Besides it, you need a structural
objectclass which doesn't impose any other attribute requirements, and allows
the 'cn' attribute. You could use 'device' or
'organizationalRole', which
should be in the default schema, or the 'namedObject' one (which is not in
default schema).
For example, you could solve this by adding:
objectclass: organizationalRole
cn: default
# User can change his/her password
pwdAllowUserChange: TRUE
# Return warning to bind attempt (seconds) -- 3 days
pwdExpireWarning: 259200
# Interval in seconds to reset failure pwd count
pwdFailureCountInterval: 100
# Do not allow to bind on expired passwords
pwdGraceAuthNLimit: 0
# Reject any password changes in this list
pwdInHistory: 3
# Lock out account when user tries more than x attempts using invalid
password pwdLockout: TRUE
# Do not allow the system to unlock the account
pwdLockoutDuration: 0
# Consecutinve # of failure attempts
pwdMaxFailure: 5
# How long the password lasts before user has to change it (seconds) -- 90
days pwdMaxAge: 77760000
# Password length
pwdMinLength: 6
You could also use other existing entries (e.g. an existing container entry)
to hold the password policy.
Regards,
Buchan
4652
days inactive
4654
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
Buchan Milne -
Diego Lima -
Saavedra, Gisella