Thanks. I've checked and rechecked the /tmp/ppolicy.ldif for stray/illegal characters, spaces, etc. I can't find anything. I deleted and recreated the file, the line, everything I could think of.
Agree with you on upgrading, that¹s in the plan as well. On 9/16/13 5:09 PM, "Christian Kratzer" <[email protected]> wrote: >Hi, > >On Mon, 16 Sep 2013, Philip Bubel wrote: > >> Running OpenLdap 2.4.23 on Centos 6.4 and we are having truoble >>enabling password polices. I've read a number of FAQ's online, plus >>spent hours searching for a solution to this problem, although a lot of >>folks seem to have the same issue I haven't been able to find a solution >>that works for us. I run into trouble running ldapadd to import the new >>policy. I end up with the invalid syntax error I've included below, >>along with a copy of the .ldif file and my slapd.conf file. I was able >>to create the policies OU without issue, I also tried using the OID for >>pwdAttribute instead of userPassword. >> >> [root@asu10d schema]# ldapadd -D "cn=Manager,dc=XXXX,dc=test" -W -x -f >>/tmp/ppolicy.ldif >> Enter LDAP Password: >> adding new entry "cn=policy,ou=policies,dc=XXXX,dc=test" >> ldap_add: Invalid syntax (21) >> additional info: pwdAttribute: value #0 invalid per syntax > >Please check you /tmp/ppolicy.ldif that there are now illegal characters >in the line with pwdAttribute: > >It looks like this is perhaps borken. > >Please also consider updating to the latest openldap 2.4.36 via one of >the openly available rpm. > >Greetings >Christian > >> >> Contents of policy.ldif >> n: cn=policy,ou=policies,dc=XXXX,dc=test >> cn: default >> objectClass: pwdPolicy >> objectClass: person >> objectClass: top >> pwdAllowUserChange: TRUE >> pwdAttribute: userPassword >> pwdCheckQuality: 2 >> pwdExpireWarning: 600 >> pwdFailureCountInterval: 30 >> pwdGraceAuthNLimit: 5 >> pwdInHistory: 5 >> pwdLockout: TRUE >> pwdLockoutDuration: 0 >> pwdMaxAge: 0 >> pwdMaxFailure: 5 >> pwdMinAge: 0 >> pwdMinLength: 5 >> pwdMustChange: FALSE >> pwdSafeModify: FALSE >> sn: dummy value >> >> Contents of my slapd.conf >> >> include /etc/openldap/schema/corba.schema >> include /etc/openldap/schema/core.schema >> include /etc/openldap/schema/cosine.schema >> include /etc/openldap/schema/duaconf.schema >> include /etc/openldap/schema/dyngroup.schema >> include /etc/openldap/schema/inetorgperson.schema >> include /etc/openldap/schema/java.schema >> include /etc/openldap/schema/misc.schema >> include /etc/openldap/schema/nis.schema >> include /etc/openldap/schema/openldap.schema >> include /etc/openldap/schema/ppolicy.schema >> include /etc/openldap/schema/collective.schema >> include /etc/openldap/schema/samba.schema >> include /etc/openldap/schema/pmi.schema >> >> allow bind_v2 >> >> pidfile /var/run/openldap/slapd.pid >> argsfile /var/run/openldap/slapd.args >> >> modulepath /usr/lib64/openldap >> >> moduleload ppolicy.la >> >> TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt >> TLSCertificateFile /etc/pki/tls/certs/slapd.pem >> TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem >> >> database config >> access to * >> by >>dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read >> by dn.exact="cn=Manager,dc=XXXX,dc=test" read >> by * none >> >> database bdb >> suffix "dc=XXXXX,dc=test" >> checkpoint 1024 15 >> rootdn "cn=Manager,dc=XXXX,dc=test" >> # Cleartext passwords, especially for the rootdn, should >> # be avoided. See slappasswd(8) and slapd.conf(5) for details. >> # Use of strong authentication encouraged. >> rootpw hello (Temp password used for testing) >> >> overlay ppolicy >> policy_default "cn=default,ou=policies,dc=XXXX,dc=test" >> policy_use_lockout >> >> directory /var/lib/ldap >> >> # Indices to maintain for this database >> index objectClass eq,pres >> index ou,cn,mail,surname,givenname eq,pres,sub >> index uidNumber,gidNumber,loginShell eq,pres >> index uid,memberUid eq,pres,sub >> index nisMapName,nisMapEntry eq,pres,sub >> >> > >-- >Christian Kratzer CK Software GmbH >Email: [email protected] Wildberger Weg 24/2 >Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden >Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart >Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian >Kratzer
