On Tuesday, 5 January 2010 03:14:44 Saavedra, Gisella wrote:
$ ldapadd -H ldap://localhost:666 -x -D
"cn=Manager,dc=zes_example,dc=com"
-w secret -f /etc/openldap/data/ppolicy.ldif adding new entry
"ou=pwdpolicies,dc=zes_example,dc=com"
adding new entry "cn=default,ou=pwdpolicies,dc=zes_example,dc=com"
ldapadd: Object class violation (65)
additional info: no structural object class provided
This is LDAP basics, nothing to do with ppolicy really, and not necessarily
OpenLDAP-specific either.
[...]
# Default Password Policy
dn: cn=default,ou=pwdpolicies,dc=zes_example,dc=com
objectClass: pwdPolicy
pwdPolicy is an auxiliary objectclass. Besides it, you need a structural
objectclass which doesn't impose any other attribute requirements, and allows
the 'cn' attribute. You could use 'device' or
'organizationalRole', which
should be in the default schema, or the 'namedObject' one (which is not in
default schema).
For example, you could solve this by adding:
objectclass: organizationalRole
cn: default
# User can change his/her password
pwdAllowUserChange: TRUE
# Return warning to bind attempt (seconds) -- 3 days
pwdExpireWarning: 259200
# Interval in seconds to reset failure pwd count
pwdFailureCountInterval: 100
# Do not allow to bind on expired passwords
pwdGraceAuthNLimit: 0
# Reject any password changes in this list
pwdInHistory: 3
# Lock out account when user tries more than x attempts using invalid
password pwdLockout: TRUE
# Do not allow the system to unlock the account
pwdLockoutDuration: 0
# Consecutinve # of failure attempts
pwdMaxFailure: 5
# How long the password lasts before user has to change it (seconds) -- 90
days pwdMaxAge: 77760000
# Password length
pwdMinLength: 6
You could also use other existing entries (e.g. an existing container entry)
to hold the password policy.
Regards,
Buchan