|If I recall correctly, the default policy is applied w/o an entry in the record. If you want to apply a specific policy that is not the default, you have to have the entry in the account for the password entry|
e.g. an entry like this would override the default
where if that entry was missing, then it would simply use the default entry setup in the slapd.conf or cn=config .
Specify the DN of the pwdPolicy object to use when no specific policy is set on a given user's entry. If there is no specific policy for an entry
and no default is given, then no policies will be enforced.
" --source man slapo-ppolicy
I hope that is helpful
On Mar 11, 2008, at 7:38 PM, Ryan Steele wrote:
If this is the wrong list, please let me know and I'd be happy to send
it to the right one.
As I've mentioned in a previous post (which hasn't been posted yet, so I
apologize if you've seen any of this information already) I've got a FC6
box, with OpenLDAP 2.3.30. I'm attempting to get ppolicy to work, and I
can now successfully start OpenLDAP with the ppolicy directive in it:
### abridged slapd.conf ###
ppolicy_default "cn=Password Policy,ou=policies,ou=example,ou=com"
by self write
by * auth
access to *
by * read
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
### Password Policy entry via slapcat ###
dn: cn=Password Policy,ou=policies,dc=example,dc=com
cn: Password Policy
[root@server openldap]# /etc/init.d/ldap start
Checking configuration files for slapd: WARNING: No dynamic config
support for overlay ppolicy.
config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
From what I gather, since I'm using a slapd.conf and not a back-bdb,that warning does not apply to me.
However, when I add users, I see no special attributes that show they're
being regulated by ppolicy (Googling turned up some ldif's that had
pwdPolicySubentry attributes - should I have that?) Additionally, I can
enter passwords such as 'a' - single characters, and it doesn't complain
at all. In fact, none of the restrictions are being enforced, and I'm
really scratching my head. The options I compiled with were:
Thanks in advance for any help...
Chris G. Sellers | NITLE - Technology Team