[Date Prev][Date Next] [Chronological] [Thread] [Top]

attribute 'pwdPolicySubentry' cannot have multiple values

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: attribute 'pwdPolicySubentry' cannot have multiple values
From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Date: Fri, 19 Mar 2010 15:59:20 -0700
Accept-language: en-US
Acceptlanguage: en-US
Content-language: en-US
Thread-index: AcrHt883tDluNBu3RFa5JouVUmWbjQ==
Thread-topic: attribute 'pwdPolicySubentry' cannot have multiple values

Hello,

I've got my ldap infrastructure (mirrormode masters, 2 slaves per datacenter) working fantastic (I can clear a db on a remote slave and in less than 30 seconds after startup, it'll reacquire the entire db!).

I'm now having an issue with one of the very last things: getting a password policy into effect.

When I attempt to add the 'pwdPolicySubentry' attribute to a user account, I get the error:

Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute 'pwdPolicySubentry' cannot have multiple values
Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check: attribute 'pwdPolicySubentry' cannot have multiple values

I get that error in the logs whether I try to add it by hand via Apache Directory Studio, or an ldif import/modify:

dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net

Here are the related slapd.conf overlay directives:

overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout

(Notice there's no ppolicy_default set - I'm still testing this feature out before I roll it out.)

And for completeness, here's the entry that I'm attempting to add this attribute to:

dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: ChrisJ Test
gidNumber: 200
homeDirectory: /home/chrisjtest
sn: chrisjtest
uid: chrisjtest
uidNumber: 583
description: ChrisJ Test
gecos: ChrisJ Test
loginShell: /bin/bash
shadowLastChange: 14657
userPassword:: <<snipped>>

And here's the password policy ldif:

dn: ou=policies,dc=unix,dc=aptimus,dc=net
objectClass: organizationalUnit
objectClass: top
ou: policies

dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdExpireWarning: 172800
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 1200
pwdMaxAge: 15897600
pwdMaxFailure: 3
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: TRUE

When I built openldap, I enabled all overlays (I know, not the most efficient), and when I attempt to add moduleload ppolicy.la or ppolicy.so I get in the logs:

line 18 (moduleload      ppolicy.la)
module_load: (ppolicy.la) already present (static)

Which I'm pretty sure means it's already loaded...

Any idea as to what I'm doing wrong?

Thanks,
- chris

Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations
Apollo Group | Apollo Marketing | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
email:  chris.jacobs@apollogrp.edu


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

Follow-Ups:
- Re: attribute 'pwdPolicySubentry' cannot have multiple values
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: attribute 'pwdPolicySubentry' cannot have multiple values
  - From: Tyler Gates <tgates81@gmail.com>
- Re: attribute 'pwdPolicySubentry' cannot have multiple values
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: ldap_sasl_bind vs. ldap_sasl_interactive_bind_s
Next by Date: Re: attribute 'pwdPolicySubentry' cannot have multiple values
Index(es):
- Chronological
- Thread