On Tuesday, 5 January 2010 03:14:44 Saavedra, Gisella wrote: > $ ldapadd -H ldap://localhost:666 -x -D "cn=Manager,dc=zes_example,dc=com" > -w secret -f /etc/openldap/data/ppolicy.ldif adding new entry > "ou=pwdpolicies,dc=zes_example,dc=com" > > adding new entry "cn=default,ou=pwdpolicies,dc=zes_example,dc=com" > ldapadd: Object class violation (65) > additional info: no structural object class provided
This is LDAP basics, nothing to do with ppolicy really, and not necessarily OpenLDAP-specific either. [...] > # Default Password Policy > dn: cn=default,ou=pwdpolicies,dc=zes_example,dc=com > objectClass: pwdPolicy pwdPolicy is an auxiliary objectclass. Besides it, you need a structural objectclass which doesn't impose any other attribute requirements, and allows the 'cn' attribute. You could use 'device' or 'organizationalRole', which should be in the default schema, or the 'namedObject' one (which is not in default schema). For example, you could solve this by adding: objectclass: organizationalRole > cn: default > # User can change his/her password > pwdAllowUserChange: TRUE > # Return warning to bind attempt (seconds) -- 3 days > pwdExpireWarning: 259200 > # Interval in seconds to reset failure pwd count > pwdFailureCountInterval: 100 > # Do not allow to bind on expired passwords > pwdGraceAuthNLimit: 0 > # Reject any password changes in this list > pwdInHistory: 3 > # Lock out account when user tries more than x attempts using invalid > password pwdLockout: TRUE > # Do not allow the system to unlock the account > pwdLockoutDuration: 0 > # Consecutinve # of failure attempts > pwdMaxFailure: 5 > # How long the password lasts before user has to change it (seconds) -- 90 > days pwdMaxAge: 77760000 > # Password length > pwdMinLength: 6 You could also use other existing entries (e.g. an existing container entry) to hold the password policy. Regards, Buchan
