[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PPolicy Questions

Your slapd.conf file should include a schema for password policy

something like

include /home/ldap/openldap/etc/openldap/schema/ppolicy.schema

Then, you should be able to use the pwdPolicy schema. You may want to read up on

man slapo_ppolicy
(http://developer.apple.com/documentation/Darwin/Reference/ManPages/man5/slapo-ppolicy.5.html )

and the ppolicy.schema
(http://www.opensource.apple.com/darwinsource/Current/OpenLDAP-106/OpenLDAP/servers/slapd/schema/ppolicy.schema )

You should have a copy of that schema in your LDAP distribution as well, so you can read the latest version on your harddrive of your server.


On Apr 17, 2008, at 4:59 AM, Todd Merrill wrote:

I hope this is the place to send such questions.  I'm having problems
getting started with ppolicy.

I am trying to specify a specific ppolicy entry for users without
using the slapd.conf default policy.  Our OpenLDAP deployment
environment in Red Hat uses version 2.3.33.

From what I have read (elsewhere since the manual is missing the
ppolicy config info), I must first add a new policy of objectclass
'pwdPolicy" in the policy list.  I have done that without problem.  I
must then indicate for the users that use that policy, the DN of the
new policy in the field 'pwdPolicySubentry'.

My problem at this point is that I see no objectclass that contains
this field.  In reading the ppolicy.schema file I see that the type
'pwdPolicySubentry' is described there, but commented out.  The odd
thing though, is that even though it is commented out, I can see the
type in my LDAP browser when I look for a list of types, and I see no
description of it in the other .schema files.

I did read on someone's site that the user entry should be an
objectclass of 'pwdPolicy' and then the 'pwdPolicySubentry' field can
be entered, but in the ppolicy.schema document, 'pwdPolicySubentry' is
not described in the list of fields for objectclass 'pwdPolicy'.

Do I have to edit the ppolicy.schema to get the overlay to work this
way?  I'm new to LDAP so perhaps I'm not understanding something

Any help or suggestions would be very helpful.

-Todd Merrill

______________________________________________ Chris G. Sellers | NITLE - Technology Team 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GoogleTalk: cgseller@gmail.com