|OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Overlays : Implementing server-side password policy: the "ppolicy" overlay (OpenLDAP 2.3)|
The ppolicy overlay provides the Password Policy feature to the underlying database, as described in draft-behera-ldap-password-policy.
This overlay is experimental, as the draft is incomplete yet.
|Even though this overlay is considered "experimental", this is simply due to the fact that the specification has not yet been finalized. The code itself is production quality and considered stable enough for use in production environments. It is being used successfully in many applications where in-directory password policy management is needed. Just be aware that the operation of the overlay may change as the specification matures.
|if pwdCheckQuality doesn't work, follow this check list might be helpful:|
1. Did you RTFM slapo-ppolicy? 2. check that ppolicy overlay successfully loaded and being used (e.g. by by checking that operational attributes like pwdFailureTime are maintained) 3. pwdAttribute setting: value should be "userPassword" 4. pwdCheckQuality: for testing better set value 2 (server always check password syntax) 5. pwdMinLength: e.g. value is 6, server do not accept password shorter than 6 character 6. ppolicy_default: check this by checking if changes to pwdMaxFailure on default entry have effect 7. make sure to restart the server after changing slapd.conf 8. make sure you are not bound as rootdn in testing 9. make sure you are using ldappasswd(1) rather than ldapmodify(1)If you have checked all of the above and the problem still isn't solved, you can ask the mailing list referring to this FAQ.
|[Append to This Answer]|
|Previous:||Proxy caching: the "pcache" overlay (OpenLDAP 2.2)|
|Next:||Referential integrity: the "refint" overlay (OpenLDAP 2.3)|