On Mon, Nov 19, 2012 at 03:14:42PM +0000, jeevan kc wrote: > I want to enable password policy on Openldap 2.4.30(to all users. I see that > the ppolicy.ldif and ppolicy.schema are listed under /usr/local/etc/openldap/ > schema but are not present on /usr/local/etc/openldap/slapd.d/cn=config > folder. > So do I need to add the policy.ldif to the cn=config folder ? Is there like > specific procedure to do that or can I add manually with ldapadd ? Also how do > I enable that schema to all users ? Please help.
The Admin Guide is a good place to start: http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies To get the schema into your config, you should include it. e.g if using slapd.conf you need a line like this in the global section: include /usr/local/etc/openldap/schema/ppolicy.schema Now in the database section holding your user entries: database hdb suffix "dc=dir,dc=example,dc=org" directory "/var/lib/ldap/db" ... overlay ppolicy ppolicy_default "cn=Password Policy,dc=dir,dc=example,dc=org" ppolicy_hash_cleartext It is important that the default policy entry is in the same backend DB as the users that it will control (ITS#7262). Your actual policy can then be loaded from an LDIF file, e.g.: # Default password policy # Applies to userPassword (2.5.4.35) # dn: cn=Password Policy,dc=dir,dc=example,dc=org" objectClass: organizationalRole objectClass: pwdPolicy cn: Password Policy description: The default password policy pwdAttribute: 2.5.4.35 pwdLockout: TRUE pwdAllowUserChange: TRUE pwdMinLength: 9 It will apply to all users unless you place an explicit policy link in the pwdPolicySubEntry attribute of the user entry to override it. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
