[Date Prev][Date Next] [Chronological] [Thread] [Top]

Setting up user accounts with ppolicy attributes

I've been working with OpenLDAP 2.3.30 to set up ppolicy processing. I think I have the policies set up correctly in the DLAP database using the following ppolicy.ldif file:

dn: ou=policies, dc=my-domain,dc=com
ou: policies
objectClass: top
objectClass: organizationalUnit

dn: cn=default,ou=policies,dc=my-domain,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
# 30 day password limit (2592000 seconds) with an even longer expire warning for testing.
pwdExpireWarning: 2592001
pwdMaxAge: 2592000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 6
pwdAllowUserChange: TRUE
# Items not currently used.
pwdMinAge: 0
pwdGraceAuthnLimit: 0
pwdLockout: FALSE
pwdLockoutDuration: 0
pwdMaxFailure: 0
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE

and the following entries in the slapd.conf file:

# password policy
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=my-domain,dc=com"

However, I'm having trouble creating user accounts.

Looking at the OpenLDAP documentation and the ppolicy.schema file, it appears that I need to include objectClass: pwdPolicy as an auxiliary class (along with posixAccount, which is the basic user account class), and then include attributes for pwdChangedTime, pwdAccountLockedTime, pwdHistory, etc. The ppolicy.schema file indicates that the format in the ldif file should actually be something like:

  pwdChangedTime;pwd-userPassword: 20000103121520Z

for pwdChangedTime. The format for pwdHistory sounds really complex, and the doc indicates that if this attribute is missing, OpenLDAP will not support password history processing, so it sound like I need to get these attributes into the account struture.

Trouble is, if I try to include such values I either get an import failure without error messages, an error that says "no user modification allowed" (even when I'm adding an account), or an indication that I'm using an invalid format.

Does anyone have an example LDIF file that shows how to set up a user account to track ppolicy processing? I have the feeling I'm missing something really obvious here, but I absolutely don't see it yet.

Thanks for any help that anyone can provide.


Hotmail to go? Get your Hotmail, news, sports and much more! http://mobile.msn.com