[email protected] wrote: > with ppolicy overlay loaded (and functioning) the following root DSE is= : > [..] > I would expect to see output similar to... >=20 > http://docs.forgerock.org/en/opendj/2.6.0/dev-guide/index/chap-getting-= directory-info.html#read-root-dse > D0D > specifilllly line 12 (and maybe line 40).
It's a bit hard to follow line number references in a web page. :-/ But I guess you mean the OIDs coming from draft-vchu-ldap-pwd-policy [1].= Note that AFAIK OpenDJ supports old draft-vchu-ldap-pwd-policy which is v= ery outdated and not supported by LDAP servers without Netscape roots. slapo-ppolicy implements draft-behera-ldap-password-policy [2]. > # Search the root DSE for the password policy (works > # with Netscape Directory Server) > pam_lookup_policy yes >=20 > does not make pam_ldap to interact with password policies against when > configured in openldap. Using pam_ldap is NOT recommended nowadays for a bunch of reasons. Use nss-pam-ldapd, sssd or OpenLDAP's slapo-nssov. AFAIK all of them support draft-behera-ldap-password-policy. But such usage discussion belong on the openldap-technical mailing list a= nd not in the ITS. Ciao, Michael. [1] https://tools.ietf.org/html/draft-vchu-ldap-pwd-policy [2] https://tools.ietf.org/html/draft-behera-ldap-password-policy
