Dear All,
I am sorry but still unable to configure the same, could anyone please share the complete steps / link so i can setup the same. Thanks, Tayyab Saeed ----- Original Message ----- From: "Dave Macias" <[email protected]> To: "Matthieu Cerda" <[email protected]> Cc: [email protected] Sent: Friday, April 13, 2018 8:27:04 PM Subject: Re: exempt some users from OpenLDAP password policy Here is an example which you can apply per-user which needs to be exempted: dn: cn=ppolicy-exclude,ou=policies,dc=organization,dc=org cn: ppolicy-exclude objectClass: top objectClass: device objectClass: pwdPolicyChecker objectClass: pwdPolicy pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdMustChange: FALSE pwdLockout: FALSE On Fri, Apr 13, 2018 at 10:28 AM, Matthieu Cerda < [email protected] > wrote: Hello, You may either: * Set a relaxed default password policy using olcPPolicyDefault / ppolicy_default (or no default policy at all) and set more restrictive password policies on some of your users by setting the pwdPolicySubentry attribute on their object * Set a restrictive default password policy, and a relaxed ones on some of your users Using one or the other depends on the proportions of exceptions you would generate: the less, the better -- Matthieu CERDA Le 13/04/2018 à 11:38, Tayyab Saeed a écrit : <blockquote> Dear Peter / ALL, Thanks a lot for your reply. So how can we exempt some users from password policy ? Is it possible in OpenLDAP or not ? Thanks, Tayyab Saeed From: "Peter Gietz" <[email protected]> To: [email protected] Sent: Friday, April 13, 2018 1:08:31 PM Subject: Re: exempt some users from OpenLDAP password policy Dear Tayyab, well the error message says most of it. The attribute pwdChangedTime is defined in sect. 5.3.2. of https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 as: ... NO-USER-MODIFICATION USAGE directoryOperation ) Which means, that an LDAP client is not allowed to modify the values of this attribute, and that it is to be modified by the directory server only. And this makes perfectly sense, that the value is changed, if and only if the password is being changed. Cheers, Peter Am 12.04.2018 um 22:55 schrieb Tayyab Saeed: <blockquote> Dear All, I have tried modifying pwdChangedTime & facing below error modifying entry "uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com" ldap_modify: Constraint violation (19) additional info: pwdChangedTime: no user modification allowed Thanks, Tayyab Saeed </blockquote> -- Matthieu Cerda Infrastructure, BU Means @ NBS System </blockquote>
