[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password policy

On Mon, Nov 19, 2012 at 03:14:42PM +0000, jeevan kc wrote:

> I want to enable password policy on Openldap 2.4.30(to all users. I see that
> the ppolicy.ldif and ppolicy.schema are listed under /usr/local/etc/openldap/
> schema but are not present on /usr/local/etc/openldap/slapd.d/cn=config folder.
> So do I need to add the policy.ldif to the cn=config folder ? Is there like
> specific procedure to do that or can I add manually with ldapadd ? Also how do
> I enable that schema to all users ? Please help.

The Admin Guide is a good place to start:


To get the schema into your config, you should include it. e.g
if using slapd.conf you need a line like this in the global

include         /usr/local/etc/openldap/schema/ppolicy.schema

Now in the database section holding your user entries:

database hdb
suffix "dc=dir,dc=example,dc=org"
directory "/var/lib/ldap/db"
overlay ppolicy
ppolicy_default "cn=Password Policy,dc=dir,dc=example,dc=org"

It is important that the default policy entry is in the same
backend DB as the users that it will control (ITS#7262).

Your actual policy can then be loaded from an LDIF file, e.g.:

# Default password policy
# Applies to userPassword (
dn: cn=Password Policy,dc=dir,dc=example,dc=org"
objectClass: organizationalRole
objectClass: pwdPolicy
cn: Password Policy
description: The default password policy
pwdLockout: TRUE
pwdAllowUserChange: TRUE
pwdMinLength: 9

It will apply to all users unless you place an explicit policy
link in the pwdPolicySubEntry attribute of the user entry to override it.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |