[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password policy



On Mon, Nov 19, 2012 at 03:14:42PM +0000, jeevan kc wrote:

> I want to enable password policy on Openldap 2.4.30(to all users. I see that
> the ppolicy.ldif and ppolicy.schema are listed under /usr/local/etc/openldap/
> schema but are not present on /usr/local/etc/openldap/slapd.d/cn=config folder.
> So do I need to add the policy.ldif to the cn=config folder ? Is there like
> specific procedure to do that or can I add manually with ldapadd ? Also how do
> I enable that schema to all users ? Please help.

The Admin Guide is a good place to start:

http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies

To get the schema into your config, you should include it. e.g
if using slapd.conf you need a line like this in the global
section:

include         /usr/local/etc/openldap/schema/ppolicy.schema

Now in the database section holding your user entries:

database hdb
suffix "dc=dir,dc=example,dc=org"
directory "/var/lib/ldap/db"
...
overlay ppolicy
ppolicy_default "cn=Password Policy,dc=dir,dc=example,dc=org"
ppolicy_hash_cleartext


It is important that the default policy entry is in the same
backend DB as the users that it will control (ITS#7262).

Your actual policy can then be loaded from an LDIF file, e.g.:

# Default password policy
# Applies to userPassword (2.5.4.35)
#
dn: cn=Password Policy,dc=dir,dc=example,dc=org"
objectClass: organizationalRole
objectClass: pwdPolicy
cn: Password Policy
description: The default password policy
pwdAttribute: 2.5.4.35
pwdLockout: TRUE
pwdAllowUserChange: TRUE
pwdMinLength: 9

It will apply to all users unless you place an explicit policy
link in the pwdPolicySubEntry attribute of the user entry to override it.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------