Here is an example which you can apply per-user which needs to be exempted:
dn: cn=ppolicy-exclude,ou=policies,dc=organization,dc=org cn: ppolicy-exclude objectClass: top objectClass: device objectClass: pwdPolicyChecker objectClass: pwdPolicy pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdMustChange: FALSE pwdLockout: FALSE On Fri, Apr 13, 2018 at 10:28 AM, Matthieu Cerda < matthieu.ce...@nbs-system.com> wrote: > Hello, > > > You may either: > > - Set a relaxed default password policy using olcPPolicyDefault / > ppolicy_default (or no default policy at all) and set more restrictive > password policies on some of your users by setting the pwdPolicySubentry > attribute on their object > - Set a restrictive default password policy, and a relaxed ones on > some of your users > > Using one or the other depends on the proportions of exceptions you would > generate: the less, the better > > -- > > Matthieu CERDA > > Le 13/04/2018 à 11:38, Tayyab Saeed a écrit : > > Dear Peter / ALL, > > Thanks a lot for your reply. > > So how can we exempt some users from password policy ? > > Is it possible in OpenLDAP or not ? > > Thanks, > Tayyab Saeed > ------------------------------ > *From: *"Peter Gietz" <peter.gi...@daasi.de> <peter.gi...@daasi.de> > *To: *openldap-technical@openldap.org > *Sent: *Friday, April 13, 2018 1:08:31 PM > *Subject: *Re: exempt some users from OpenLDAP password policy > > Dear Tayyab, > > > well the error message says most of it. > > > The attribute pwdChangedTime is defined in sect. 5.3.2. of > https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 as: > > ... > > NO-USER-MODIFICATION > USAGE directoryOperation ) > > Which means, that an LDAP client is not allowed to modify the values of > this attribute, and that it is to be modified by the directory server only. > > And this makes perfectly sense, that the value is changed, if and only if > the password is being changed. > > Cheers, > Peter > > Am 12.04.2018 um 22:55 schrieb Tayyab Saeed: > > Dear All, > > I have tried modifying pwdChangedTime & facing below error > > modifying entry > "uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com" > ldap_modify: Constraint violation (19) > additional info: pwdChangedTime: no user modification allowed > > Thanks, > Tayyab Saeed > > > > > -- > Matthieu Cerda > Infrastructure, BU Means @ NBS System > >
