Hello,
I've got my ldap infrastructure (mirrormode masters, 2 slaves per datacenter) working fantastic (I can clear a db on a remote slave and in less than 30 seconds after startup, it'll reacquire the entire db!).
I'm now having an issue with one of the very last things: getting a password policy into effect.
When I attempt to add the 'pwdPolicySubentry' attribute to a user account, I get the error:
Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute 'pwdPolicySubentry' cannot have multiple values Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check: attribute 'pwdPolicySubentry' cannot have multiple values
I get that error in the logs whether I try to add it by hand via Apache Directory Studio, or an ldif import/modify:
dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
Here are the related slapd.conf overlay directives:
overlay ppolicy ppolicy_hash_cleartext ppolicy_use_lockout
(Notice there's no ppolicy_default set - I'm still testing this feature out before I roll it out.)
And for completeness, here's the entry that I'm attempting to add this attribute to:
dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: ChrisJ Test gidNumber: 200 homeDirectory: /home/chrisjtest sn: chrisjtest uid: chrisjtest uidNumber: 583 description: ChrisJ Test gecos: ChrisJ Test loginShell: /bin/bash shadowLastChange: 14657 userPassword:: <<snipped>>
And here's the password policy ldif:
dn: ou=policies,dc=unix,dc=aptimus,dc=net objectClass: organizationalUnit objectClass: top ou: policies
dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 172800 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 1200 pwdMaxAge: 15897600 pwdMaxFailure: 3 pwdMinLength: 8 pwdMustChange: FALSE pwdSafeModify: TRUE
When I built openldap, I enabled all overlays (I know, not the most efficient), and when I attempt to add moduleload ppolicy.la or ppolicy.so I get in the logs:
line 18 (moduleload ppolicy.la) module_load: (ppolicy.la) already present (static)
Which I'm pretty sure means it's already loaded...
Any idea as to what I'm doing wrong?
Thanks, - chris
Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations Apollo Group | Apollo Marketing | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Am Fri, 19 Mar 2010 15:59:20 -0700 schrieb Chris Jacobs Chris.Jacobs@apollogrp.edu:
Hello,
I've got my ldap infrastructure (mirrormode masters, 2 slaves per datacenter) working fantastic (I can clear a db on a remote slave and in less than 30 seconds after startup, it'll reacquire the entire db!).
I'm now having an issue with one of the very last things: getting a password policy into effect.
When I attempt to add the 'pwdPolicySubentry' attribute to a user account, I get the error:
Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute 'pwdPolicySubentry' cannot have multiple values Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check: attribute 'pwdPolicySubentry' cannot have multiple values
[...]
Did you add the ppolicy.schema?
-Dieter
I'm pretty sure pwdPolicySubEntry requires the pwdPolicy objectClass in the target dn although that wouldn't explain the error message... Are you sure the attribute doesn't already exist? It is a system attribute so depending on the browser you are using at may not appear.
On Mar 19, 2010, at 6:59 PM, Chris Jacobs Chris.Jacobs@apollogrp.edu wrote:
Hello,
I've got my ldap infrastructure (mirrormode masters, 2 slaves per datacenter) working fantastic (I can clear a db on a remote slave and in less than 30 seconds after startup, it'll reacquire the entire db!).
I'm now having an issue with one of the very last things: getting a password policy into effect.
When I attempt to add the 'pwdPolicySubentry' attribute to a user account, I get the error:
Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute 'pwdPolicySubentry' cannot have multiple values Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check: attribute 'pwdPolicySubentry' cannot have multiple values
I get that error in the logs whether I try to add it by hand via Apache Directory Studio, or an ldif import/modify:
dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
Here are the related slapd.conf overlay directives:
overlay ppolicy ppolicy_hash_cleartext ppolicy_use_lockout
(Notice there's no ppolicy_default set - I'm still testing this feature out before I roll it out.)
And for completeness, here's the entry that I'm attempting to add this attribute to:
dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: ChrisJ Test gidNumber: 200 homeDirectory: /home/chrisjtest sn: chrisjtest uid: chrisjtest uidNumber: 583 description: ChrisJ Test gecos: ChrisJ Test loginShell: /bin/bash shadowLastChange: 14657 userPassword:: <<snipped>>
And here's the password policy ldif:
dn: ou=policies,dc=unix,dc=aptimus,dc=net objectClass: organizationalUnit objectClass: top ou: policies
dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 172800 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 1200 pwdMaxAge: 15897600 pwdMaxFailure: 3 pwdMinLength: 8 pwdMustChange: FALSE pwdSafeModify: TRUE
When I built openldap, I enabled all overlays (I know, not the most efficient), and when I attempt to add moduleload ppolicy.la or ppolicy.so I get in the logs:
line 18 (moduleload ppolicy.la) module_load: (ppolicy.la) already present (static)
Which I'm pretty sure means it's already loaded...
Any idea as to what I'm doing wrong?
Thanks,
- chris
Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations Apollo Group | Apollo Marketing | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Tyler Gates wrote:
I'm pretty sure pwdPolicySubEntry requires the pwdPolicy objectClass in the target dn
No. The pwdPolicy class is for the entry that contains the policy attributes, not the entry being controlled by the policy.
although that wouldn't explain the error message...
The error message is quite clear - the pwdPolicySubentry attribute is single-valued, you can't set multiple values for it.
Are you sure the attribute doesn't already exist? It is a system attribute so depending on the browser you are using at may not appear.
That's most likely what's going on here.
On Mar 19, 2010, at 6:59 PM, Chris JacobsChris.Jacobs@apollogrp.edu wrote:
Hello,
I've got my ldap infrastructure (mirrormode masters, 2 slaves per datacenter) working fantastic (I can clear a db on a remote slave and in less than 30 seconds after startup, it'll reacquire the entire db!).
I'm now having an issue with one of the very last things: getting a password policy into effect.
When I attempt to add the 'pwdPolicySubentry' attribute to a user account, I get the error:
Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute 'pwdPolicySubentry' cannot have multiple values Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check: attribute 'pwdPolicySubentry' cannot have multiple values
I get that error in the logs whether I try to add it by hand via Apache Directory Studio, or an ldif import/modify:
dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
Here are the related slapd.conf overlay directives:
overlay ppolicy ppolicy_hash_cleartext ppolicy_use_lockout
(Notice there's no ppolicy_default set - I'm still testing this feature out before I roll it out.)
And for completeness, here's the entry that I'm attempting to add this attribute to:
dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: ChrisJ Test gidNumber: 200 homeDirectory: /home/chrisjtest sn: chrisjtest uid: chrisjtest uidNumber: 583 description: ChrisJ Test gecos: ChrisJ Test loginShell: /bin/bash shadowLastChange: 14657 userPassword::<<snipped>>
And here's the password policy ldif:
dn: ou=policies,dc=unix,dc=aptimus,dc=net objectClass: organizationalUnit objectClass: top ou: policies
dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 172800 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 1200 pwdMaxAge: 15897600 pwdMaxFailure: 3 pwdMinLength: 8 pwdMustChange: FALSE pwdSafeModify: TRUE
When I built openldap, I enabled all overlays (I know, not the most efficient), and when I attempt to add moduleload ppolicy.la or ppolicy.so I get in the logs:
line 18 (moduleload ppolicy.la) module_load: (ppolicy.la) already present (static)
Which I'm pretty sure means it's already loaded...
Any idea as to what I'm doing wrong?
Thanks,
- chris
Chris Jacobs, Jr. Linux Administrator, Information Technology& Operations Apollo Group | Apollo Marketing | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Chris Jacobs wrote:
When I attempt to add the 'pwdPolicySubentry' attribute to a user account, I get the error:
Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute 'pwdPolicySubentry' cannot have multiple values Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check: attribute 'pwdPolicySubentry' cannot have multiple values
Yes, attribute type 'pwdPolicySubentry' is declared as SINGLE-VALUE which IMO makes perfect sense.
Ciao, Michael.
openldap-technical@openldap.org
-
Chris Jacobs -
Dieter Kluenter -
Howard Chu -
Michael Ströder -
Tyler Gates