[Date Prev][Date Next] [Chronological] [Thread] [Top]

SubEntry behaviour in OpenLDAP

I am trying to implement a set of password policies that vary for
different groups of users. Each group is conveniently contained in a
subtree of the DIT, so it seems that this should work easily.

At the root of each subtree I have created a pwdPolicy subentry of the

dn: cn=ppolicy,ou=some-group,dc=example,dc=com
objectclass: subentry
objectclass: pwdPolicy
cn: ppolicy
pwdAttribute: userPassword
pwdMinLength: 6
pwdCheckQuality: 2
subtreeSpecification: { }

OpenLDAP (version 2.3.39 in this case) recognises the subentry and
gives it the special treatment specified for searches etc, but does
not seem to be applying the policy it contains to users in the
subtree. I have a default password policy stored elsewhere in the DIT
and referenced in the ppolicy overlay config: this does take effect,
but its name does not show up in the pwdPolicySubentry operational
attribute of any user.

If I force the name of the policy into pwdPolicySubentry then it does
take effect, but that is not the point: the subentry should set this
attribute automatically.

The problem may be that the root of the subtree is not marked as an
administration point: OpenLDAP 2.3.39 knows about the
administrativeRole attribute but seems to have 'not implemented'
hard-wired into the result code.

Are subentries expected to work, or am I mis-reading something here?


|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |