(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Overlays : (Answer) Implementing server-side password policy: the "ppolicy" overlay (OpenLDAP 2.3)
The ppolicy overlay provides the Password Policy feature to the underlying database, as described in draft-behera-ldap-password-policy.

This overlay is experimental, as the draft is incomplete yet.

Even though this overlay is considered "experimental", this is simply due to the fact that the specification has not yet been finalized. The code itself is production quality and considered stable enough for use in production environments. It is being used successfully in many applications where in-directory password policy management is needed. Just be aware that the operation of the overlay may change as the specification matures.
if pwdCheckQuality doesn't work, follow this check list might be helpful:
   1. Did you RTFM slapo-ppolicy?
   2. Did you check openldap version is higher than 2.3?
   3. check ppolicy overlay successfully loaded and being used (can be found
      by checking if operational attribute like pwdFailureTime was maintained;
   4. pwdAttribute setting: value should be "userPassword";
   5. pwdCheckQuality: for testing better make value 2 (server always 
      check password syntax);
   6. pwdMinLength: e.g. value is 6, server do not accept password
      short than 6 character;
   7. ppolicy_default: check this by checking if changes to pwdMaxFailure on
      default entry have effect;
   8. check the entry being operated doesn't have pwdPolicySubentry, 
      so default should be applied;
   9. make sure slapd server was restarted after all above check (e.g. because
      of change to slapd.conf)
  10. make sure you are not bound as rootdn in testing;
  11. make sure you are using ldappasswd(1) rather than ldapmodify(1);
If you have checked all the checklist and still doesn't solve the problem, you can ask the mailing list referring to this FAQ.
[Append to This Answer]
Previous: (Answer) Proxy caching: the "pcache" overlay (OpenLDAP 2.2)
Next: (Answer) Referential integrity: the "refint" overlay (OpenLDAP 2.3)
This document is: http://www.openldap.org/faq/index.cgi?file=1204
[Search] [Appearance]
This is a Faq-O-Matic 2.719.
© Copyright 1998-2008, OpenLDAP Foundation, info@OpenLDAP.org