[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: attribute 'pwdPolicySubentry' cannot have multiple values

Tyler Gates wrote:
I'm pretty sure pwdPolicySubEntry requires the pwdPolicy objectClass
in the target dn

No. The pwdPolicy class is for the entry that contains the policy attributes, not the entry being controlled by the policy.

although that wouldn't explain the error message...

The error message is quite clear - the pwdPolicySubentry attribute is single-valued, you can't set multiple values for it.

Are you sure the attribute doesn't already exist? It is a system
attribute so depending on the browser you are using at may not appear.

That's most likely what's going on here.

On Mar 19, 2010, at 6:59 PM, Chris Jacobs<Chris.Jacobs@apollogrp.edu>


I've got my ldap infrastructure (mirrormode masters, 2 slaves per
datacenter) working fantastic (I can clear a db on a remote slave
and in less than 30 seconds after startup, it'll reacquire the
entire db!).

I'm now having an issue with one of the very last things: getting a
password policy into effect.

When I attempt to add the 'pwdPolicySubentry' attribute to a user
account, I get the error:

Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry
(uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute
'pwdPolicySubentry' cannot have multiple values
Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check:
attribute 'pwdPolicySubentry' cannot have multiple values

I get that error in the logs whether I try to add it by hand via
Apache Directory Studio, or an ldif import/modify:

dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net

Here are the related slapd.conf overlay directives:

overlay ppolicy

(Notice there's no ppolicy_default set - I'm still testing this
feature out before I roll it out.)

And for completeness, here's the entry that I'm attempting to add
this attribute to:

dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: ChrisJ Test
gidNumber: 200
homeDirectory: /home/chrisjtest
sn: chrisjtest
uid: chrisjtest
uidNumber: 583
description: ChrisJ Test
gecos: ChrisJ Test
loginShell: /bin/bash
shadowLastChange: 14657

And here's the password policy ldif:

dn: ou=policies,dc=unix,dc=aptimus,dc=net
objectClass: organizationalUnit
objectClass: top
ou: policies

dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdExpireWarning: 172800
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 1200
pwdMaxAge: 15897600
pwdMaxFailure: 3
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: TRUE

When I built openldap, I enabled all overlays (I know, not the most
efficient), and when I attempt to add moduleload ppolicy.la or
ppolicy.so I get in the logs:

line 18 (moduleload      ppolicy.la)
module_load: (ppolicy.la) already present (static)

Which I'm pretty sure means it's already loaded...

Any idea as to what I'm doing wrong?

- chris

Chris Jacobs, Jr. Linux Administrator, Information Technology&
Apollo Group | Apollo Marketing | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
email:  chris.jacobs@apollogrp.edu

This message is private and confidential. If you have received it in
error, please notify the sender and remove it from your system.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/