[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy



I've got a question regarding the ppolicy overlay.  I've read the docs I
can find for it on the web, but there's a couple of holes in them and in
my knowledge.

I've got the config set up (schema, module load, external check library)
and such.  I've got the default policy DN in the database and such.

From slapd.conf:
overlay ppolicy
        ppolicy_default \
    "cn=DefaultPassword,ou=Policies,dc=billing,dc=com"
        ppolicy_use_lockout
        ppolicy_hash_cleartext

From ldapsearch -b "ou=policies...":
dn: cn=DefaultPassword,ou=Policies,dc=billing,dc=com
cn: DefaultPassword
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdMinAge: 86400
pwdMaxAge: 7776000
pwdExpireWarning: 604800
pwdGraceAuthNLimit: 3
pwdMinLength: 10
pwdCheckQuality: 2
pwdMaxFailure: 3
pwdLockoutDuration: 180
pwdFailureCountInterval: 120
pwdInHistory: 4
pwdAllowUserChange: TRUE
pwdMustChange: TRUE
pwdSafeModify: TRUE

When I add a user and do an ldapsearch of that user, should I see any of
the ppolicy user attributes such as "pwdReset" or "pwdChangedTime" in
the entry right off the bat or must something happen first (such as
having the user change their password)?  I ask because I see nothing
and hence don't know if ppolicy is ruling the roost or not.

Does ppolicy only affect a specific objectClass of entry (e.g. "inetOrgPerson") or will it take effect on any entry with a
"userPassword" entry? None of my user accounts have "inetOrgPerson"
object classes. Typical entry:


dn: uid=testuser,ou=People,dc=billing,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 1
shadowMax: 90
shadowWarning: 7
loginShell: /bin/bash
gecos: Test User
homeDirectory: /home/testuser
uidNumber: 32004
gidNumber: 32004
userPassword:: OXgtJnhFM2VsZVls
shadowLastChange: 13978

Oh, by the way, that user was JUST added.
--
----------------------------------------------------------------------
- Rick Stevens, Unix Geek                          rps2@socal.rr.com -
-                                                                    -
-   I haven't lost my mind.  It's backed up on tape somewhere, but   -
-                       probably not recoverable.                    -
----------------------------------------------------------------------