[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: attribute 'pwdPolicySubentry' cannot have multiple values

Howard, Tyler, Michael,

My apologies: I take that back.  The entry is indeed on the account - and it is, in fact, a system attribute.

I will endeavor to not reply to messages at 4am in the future - a bit too quick on the /assume/ thing.

How do you identify whether an attribute will be a system attribute or not?  I've plenty to learn on ldap, but even I knew to look at the schema file - and I'm not certain how one could know whether an attribute would be a system attribute.

Anyway - assuming the policy functions as expected - I'm nearly done with this beast of a one-man project.

- chris

PS: I'd failed to reply-to-all on my previous emails.  Please pardon my mailing list etiquette and use failure.  :)

From: Chris Jacobs
Sent: Monday, March 22, 2010 4:12 AM
To: Howard Chu
Subject: RE: attribute 'pwdPolicySubentry' cannot have multiple values

No - there's no pwdPolicySubEntry entry.

The contents of the LDAP db were built via a slapcat dump from an OpenLDAP 2.2 installation, with no ppolicy.

As you can see from the LDIF of the chrisjtest 'account' - there's no pwdPolicySubEntry currently.  Apache's directory studio and slapcat agree.

- chris

From: Howard Chu [hyc@symas.com]
Sent: Saturday, March 20, 2010 2:49 AM
To: Tyler Gates
Cc: Chris Jacobs; openldap-technical@openldap.org
Subject: Re: attribute 'pwdPolicySubentry' cannot have multiple values

Tyler Gates wrote:
> I'm pretty sure pwdPolicySubEntry requires the pwdPolicy objectClass
> in the target dn

No. The pwdPolicy class is for the entry that contains the policy attributes,
not the entry being controlled by the policy.

> although that wouldn't explain the error message...

The error message is quite clear - the pwdPolicySubentry attribute is
single-valued, you can't set multiple values for it.

> Are you sure the attribute doesn't already exist? It is a system
> attribute so depending on the browser you are using at may not appear.

That's most likely what's going on here.

> On Mar 19, 2010, at 6:59 PM, Chris Jacobs<Chris.Jacobs@apollogrp.edu>
> wrote:
>> Hello,
>> I've got my ldap infrastructure (mirrormode masters, 2 slaves per
>> datacenter) working fantastic (I can clear a db on a remote slave
>> and in less than 30 seconds after startup, it'll reacquire the
>> entire db!).
>> I'm now having an issue with one of the very last things: getting a
>> password policy into effect.
>> When I attempt to add the 'pwdPolicySubentry' attribute to a user
>> account, I get the error:
>> Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry
>> (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute
>> 'pwdPolicySubentry' cannot have multiple values
>> Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check:
>> attribute 'pwdPolicySubentry' cannot have multiple values
>> I get that error in the logs whether I try to add it by hand via
>> Apache Directory Studio, or an ldif import/modify:
>> dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
>> changetype: modify
>> add: pwdPolicySubentry
>> pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
>> Here are the related slapd.conf overlay directives:
>> overlay ppolicy
>> ppolicy_hash_cleartext
>> ppolicy_use_lockout
>> (Notice there's no ppolicy_default set - I'm still testing this
>> feature out before I roll it out.)
>> And for completeness, here's the entry that I'm attempting to add
>> this attribute to:
>> dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
>> objectClass: top
>> objectClass: inetOrgPerson
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> cn: ChrisJ Test
>> gidNumber: 200
>> homeDirectory: /home/chrisjtest
>> sn: chrisjtest
>> uid: chrisjtest
>> uidNumber: 583
>> description: ChrisJ Test
>> gecos: ChrisJ Test
>> loginShell: /bin/bash
>> shadowLastChange: 14657
>> userPassword::<<snipped>>
>> And here's the password policy ldif:
>> dn: ou=policies,dc=unix,dc=aptimus,dc=net
>> objectClass: organizationalUnit
>> objectClass: top
>> ou: policies
>> dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
>> objectClass: top
>> objectClass: device
>> objectClass: pwdPolicy
>> cn: default
>> pwdAttribute: userPassword
>> pwdAllowUserChange: TRUE
>> pwdExpireWarning: 172800
>> pwdFailureCountInterval: 0
>> pwdGraceAuthNLimit: 0
>> pwdInHistory: 10
>> pwdLockout: TRUE
>> pwdLockoutDuration: 1200
>> pwdMaxAge: 15897600
>> pwdMaxFailure: 3
>> pwdMinLength: 8
>> pwdMustChange: FALSE
>> pwdSafeModify: TRUE
>> When I built openldap, I enabled all overlays (I know, not the most
>> efficient), and when I attempt to add moduleload ppolicy.la or
>> ppolicy.so I get in the logs:
>> line 18 (moduleload      ppolicy.la)
>> module_load: (ppolicy.la) already present (static)
>> Which I'm pretty sure means it's already loaded...
>> Any idea as to what I'm doing wrong?
>> Thanks,
>> - chris
>> Chris Jacobs, Jr. Linux Administrator, Information Technology&
>> Operations
>> Apollo Group | Apollo Marketing | Aptimus, Inc.
>> 2001 6th Ave | Ste 3200 | Seattle, WA 98121
>> phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
>> email:  chris.jacobs@apollogrp.edu
>> This message is private and confidential. If you have received it in
>> error, please notify the sender and remove it from your system.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.