[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy

Dieter Kluenter wrote:

"Allgood, John"<jallgood@ohl.com>  writes:

Hey Guys

I have another question in regards to using ppolicy. I have built my policy
into ldap. How do I apply that policy to my existing user objects.

You either create a default rule set in slapd.conf or add a policy subentry to a user entry. Something like

dn: cn=some user,ou=users
cn: some user
objectclass: inetorgPerson
objectclass: pwdPolicy
pwdPolicySubentry: cn=users,ou=policies


Where did you get this idea from?

There is no reason to set "objectclass: pwdPolicy" on the user object.
Likewise, pwdAttribute does not belong there.


dn: cn=users,ou=policies
cn: users
objectClass: organizationalRole
objectClass: pwdPolicy
pwdAllowUserChange: TRUE
pwdCheckQuality: 1
pwdExpireWarning: 86400
pwdGraceAuthNLimit: 2
pwdInHistory: 6
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxAge: 250000
pwdMaxFailure: 3


  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/