[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuring ppolicy problem

To: openldap-technical@openldap.org
Subject: Re: Configuring ppolicy problem
From: cbulist <cbulist@gmail.com>
Date: Wed, 29 Aug 2012 16:43:52 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=JFmbPDhfAHMX5tUu6MmuDt24oVdjWU2gzWziW+aNxcE=; b=Wl25Far3hzMcbhsrYwbu+hNtSkEPIyar1x3JrEPTWqrbQS51dkLUZw5ENGXzlzVc+p ixH1WId7e0ARqVTAEm6s4tfvwdRw+S4TXLWx4i3iYATOCUKBijKWAeoQF7WHhfx44K3y 8nxnbh9oBpPEqCEJg74IsnMHdXDxz22PN+LS8ET223meSdl/oa3YxlvIeoXcKtra4C1Z f/HYF9OvZM4LrBnORlWt40qoqPy69LsaetHYt8+DVt/kXBil9lzzaZMS/gg2pC9FL0dJ sEmTm5XeuvPE1UkZIuEfax6IqxcdftsLsLoP65Zv5ATqnh8v0AOblPlbRx7TS/EO0tik Ec1w==
In-reply-to: <503E82BB.1090601@gmail.com>
References: <503BE6E7.4000809@gmail.com> <AEC8A374AE8AA74E85723C695791A2D090F0F57D52@CARNELIAN.ad.northcentral.edu> <503E3798.5000301@gmail.com> <503E5C1C.4010202@gmail.com> <503E64D4.9020402@gmail.com> <503E82BB.1090601@gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.24) Gecko/20111108 Fedora/3.1.16-1.fc14 Thunderbird/3.1.16

Thanks Guillaume

I will try it and I will let you know.




On 08/29/2012 03:59 PM, Guillaume Rousse wrote:

Le 29/08/2012 20:52, cbulist a écrit :

Thanks Clement and Guillaume for your reply.

This is my operational attributes for my user:

dn: cn=user1,ou=policies,dc=samle,dc=com
objectClass: pwdPolicy
objectClass: top
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: user1
pwdAttribute: userPassword
sn: user1
uid: user1
pwdAllowUserChange: TRUE
pwdExpireWarning: 10
pwdLockout: TRUE
pwdMaxAge: 15
pwdMustChange: TRUE

Those are plain attributes, not *operational* attributes.

Guillaume:
I know that my access configuration is dangereous but how I am testing I
just want to be sure don't block anything.
If I understood your concept I can't use pwdPolicy for unix account. Is
there any way to control password history with shadowAccount?..

Not with shadowAccount, but with password policy. Just create apwdPolicy object, instance of pwdPolicy class, and apply it to eitherall your users, through slapd.conf ppolicy_default setting, or just tosome of your users, through its operational pwdPolicySubentry attribute.


Basically, you should have distinct user and policy objects, such as:

dn: cn=user1,ou=users,dc=samle,dc=com
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: user1
sn: user1
uid: user1
userPassword: XXXX

dn: cn=default,ou=policies,dc=samle,dc=com
objectClass: pwdPolicy
objectClass: top
pwdAllowUserChange: TRUE
pwdExpireWarning: 10
pwdLockout: TRUE
pwdMaxAge: 15
pwdMustChange: TRUE

References:
- Configuring ppolicy problem
  - From: cbulist <cbulist@gmail.com>
- RE: Configuring ppolicy problem
  - From: Andy Poirier <atpoirie@northcentral.edu>
- Re: Configuring ppolicy problem
  - From: cbulist <cbulist@gmail.com>
- Re: Configuring ppolicy problem
  - From: Guillaume Rousse <guillomovitch@gmail.com>
- Re: Configuring ppolicy problem
  - From: cbulist <cbulist@gmail.com>
- Re: Configuring ppolicy problem
  - From: Guillaume Rousse <guillomovitch@gmail.com>

Prev by Date: Re: help with setting up replication
Next by Date: How to config LDAP client to get data from multiple sub domains in LDAP server?
Index(es):
- Chronological
- Thread