Hello,

You may either:

  * Set a relaxed default password policy using olcPPolicyDefault /
    ppolicy_default (or no default policy at all) and set more
    restrictive password policies on some of your users by setting the
    pwdPolicySubentry attribute on their object
  * Set a restrictive default password policy, and a relaxed ones on
    some of your users

Using one or the other depends on the proportions of exceptions you
would generate: the less, the better

--

Matthieu CERDA


Le 13/04/2018 à 11:38, Tayyab Saeed a écrit :
> Dear Peter / ALL,
>
> Thanks a lot for your reply.
>
> So how can we exempt some users from password policy ?
>
> Is it possible in OpenLDAP or not ?
>
> Thanks,
> Tayyab Saeed
> ------------------------------------------------------------------------
> *From: *"Peter Gietz" <peter.gi...@daasi.de>
> *To: *openldap-technical@openldap.org
> *Sent: *Friday, April 13, 2018 1:08:31 PM
> *Subject: *Re: exempt some users from OpenLDAP password policy
>
> Dear Tayyab,
>
>
> well the error message says most of it.
>
>
> The attribute pwdChangedTime is defined in sect. 5.3.2. of
> https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 as:
>
> ...
>
> NO-USER-MODIFICATION
> USAGE directoryOperation )
>
>
> Which means, that an LDAP client is not allowed to modify the values
> of this attribute, and that it is to be modified by the directory
> server only.
>
> And this makes perfectly sense, that the value is changed, if and only
> if the password is being changed.
>
> Cheers,
> Peter
>
> Am 12.04.2018 um 22:55 schrieb Tayyab Saeed:
>
>     Dear All,
>
>     I have tried modifying pwdChangedTime & facing below error
>
>      modifying entry 
>      "uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com"
>      ldap_modify: Constraint violation (19)
>          additional info: pwdChangedTime: no user modification allowed
>
>     Thanks,
>     Tayyab Saeed
>
>
>

-- 
Matthieu Cerda
Infrastructure, BU Means @ NBS System

Reply via email to