multiple password policies and pwdPolicySubentry

To: openldap-technical@openldap.org

Subject: multiple password policies and pwdPolicySubentry

From: Guruprasad Kulkarni <gkulkarni@gridcosystems.com>

Date: Mon, 2 Mar 2015 10:54:26 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gridcosystems.com; s=google; h=mime-version:date:message-id:subject:from:to:content-type; bh=iyO+rnSLQhrWAcshFlDR9Fcp8Oy4i8BMu7USLlViKcY=; b=hM1kVt5qUBmqQBzS9Q9C6vPaUKDn2QpVvhw+rx35tKpJf13aVXGaKZ4BlLpg2Vsgsn lcktTugu8IylBj+uRs6yYlr8RYYZwvpKrF+abKPP5TiOYkpI4SwmZBu/PU8kiIJF4XUE RKNFsraDf22Tq37fM9fFB8W4SvBQa9PWfB+iQ=

Hi,

I am running openldap 2.4.40 on Ubuntu 12.04

I need to use N-way multi master replication and there are only 2 masters

I am using syncrepl configuration and for the sake of security I didn't want to use the rootdn credentials for replication (I didnt want slapd.conf to have its password in plain text in syncrepl section)

So I created a ldapreplicator account on both masters just for replication and only has read privileges

I also have a default password policy on the ldap which has requirements that all passwords should expire in 30 days, have lockout duration, etc.

The problem is the password policy is also applied to the ldapreplicator account and due to this, the synchronization fails once the password expires.

I tried to add a different password policy to ldapreplicator using pwdPolicySubentry but keep getting error 21 invalid syntax.

I looked into the documentation and online as well, but I am not sure why I keep getting the invalid syntax error.

To keep this post short, I am attaching the slapd.conf, the password policies (default and for replicator), the ldif containing instructions for adding password policy to ldapreplicator and log output

I am sure I am missing something, any help would be greatly appreciated

-Guruprasad

#OUTPUT OF ldapadd -H "ldap://localhost:389"; -D "cn=ldapadmin,dc=example,dc=com" -W -f add_ldapreplicator_ppolicy.ldif modifying entry "cn=ldapreader,dc=example,dc=com" ldap_modify: Invalid syntax (21) additional info: pwdPolicySubentry: value #0 invalid per syntax # SERVER OUTPUT Mar 2 10:48:20 ldaptest01 slapd[1942]: conn=1009 fd=9 ACCEPT from IP=127.0.0.1:45980 (IP=0.0.0.0:389) Mar 2 10:48:20 ldaptest01 slapd[1942]: conn=1009 op=0 BIND dn="cn=ldapadmin,dc=example,dc=com" method=128 Mar 2 10:48:20 ldaptest01 slapd[1942]: conn=1009 op=0 BIND dn="cn=ldapadmin,dc=example,dc=com" mech=SIMPLE ssf=0 Mar 2 10:48:20 ldaptest01 slapd[1942]: conn=1009 op=0 RESULT tag=97 err=0 text= Mar 2 10:48:20 ldaptest01 slapd[1942]: conn=1009 op=1 MOD dn="cn=ldapreplicator,dc=example,dc=com" Mar 2 10:48:20 ldaptest01 slapd[1942]: conn=1009 op=1 MOD attr=pwdPolicySubentry Mar 2 10:48:20 ldaptest01 slapd[1942]: conn=1009 op=1 RESULT tag=103 err=21 text=pwdPolicySubentry: value #0 invalid per syntax Mar 2 10:48:20 ldaptest01 slapd[1942]: conn=1009 op=2 UNBIND Mar 2 10:48:20 ldaptest01 slapd[1942]: conn=1009 fd=9 closed

Attachment: password policies.ldif
Description: Binary data

Attachment: slapd.conf
Description: Binary data