Howard, Tyler, Michael, My apologies: I take that back. The entry is indeed on the account - and it is, in fact, a system attribute.
I will endeavor to not reply to messages at 4am in the future - a bit too quick on the /assume/ thing. BTW: How do you identify whether an attribute will be a system attribute or not? I've plenty to learn on ldap, but even I knew to look at the schema file - and I'm not certain how one could know whether an attribute would be a system attribute. Anyway - assuming the policy functions as expected - I'm nearly done with this beast of a one-man project. Thanks! - chris PS: I'd failed to reply-to-all on my previous emails. Please pardon my mailing list etiquette and use failure. :) ________________________________________ From: Chris Jacobs Sent: Monday, March 22, 2010 4:12 AM To: Howard Chu Subject: RE: attribute 'pwdPolicySubentry' cannot have multiple values No - there's no pwdPolicySubEntry entry. The contents of the LDAP db were built via a slapcat dump from an OpenLDAP 2.2 installation, with no ppolicy. As you can see from the LDIF of the chrisjtest 'account' - there's no pwdPolicySubEntry currently. Apache's directory studio and slapcat agree. - chris ________________________________________ From: Howard Chu [[email protected]] Sent: Saturday, March 20, 2010 2:49 AM To: Tyler Gates Cc: Chris Jacobs; [email protected] Subject: Re: attribute 'pwdPolicySubentry' cannot have multiple values Tyler Gates wrote: > I'm pretty sure pwdPolicySubEntry requires the pwdPolicy objectClass > in the target dn No. The pwdPolicy class is for the entry that contains the policy attributes, not the entry being controlled by the policy. > although that wouldn't explain the error message... The error message is quite clear - the pwdPolicySubentry attribute is single-valued, you can't set multiple values for it. > Are you sure the attribute doesn't already exist? It is a system > attribute so depending on the browser you are using at may not appear. That's most likely what's going on here. > On Mar 19, 2010, at 6:59 PM, Chris Jacobs<[email protected]> > wrote: > >> Hello, >> >> I've got my ldap infrastructure (mirrormode masters, 2 slaves per >> datacenter) working fantastic (I can clear a db on a remote slave >> and in less than 30 seconds after startup, it'll reacquire the >> entire db!). >> >> I'm now having an issue with one of the very last things: getting a >> password policy into effect. >> >> When I attempt to add the 'pwdPolicySubentry' attribute to a user >> account, I get the error: >> >> Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry >> (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute >> 'pwdPolicySubentry' cannot have multiple values >> Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check: >> attribute 'pwdPolicySubentry' cannot have multiple values >> >> I get that error in the logs whether I try to add it by hand via >> Apache Directory Studio, or an ldif import/modify: >> >> dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net >> changetype: modify >> add: pwdPolicySubentry >> pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net >> >> Here are the related slapd.conf overlay directives: >> >> overlay ppolicy >> ppolicy_hash_cleartext >> ppolicy_use_lockout >> >> (Notice there's no ppolicy_default set - I'm still testing this >> feature out before I roll it out.) >> >> And for completeness, here's the entry that I'm attempting to add >> this attribute to: >> >> dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net >> objectClass: top >> objectClass: inetOrgPerson >> objectClass: posixAccount >> objectClass: shadowAccount >> cn: ChrisJ Test >> gidNumber: 200 >> homeDirectory: /home/chrisjtest >> sn: chrisjtest >> uid: chrisjtest >> uidNumber: 583 >> description: ChrisJ Test >> gecos: ChrisJ Test >> loginShell: /bin/bash >> shadowLastChange: 14657 >> userPassword::<<snipped>> >> >> And here's the password policy ldif: >> >> dn: ou=policies,dc=unix,dc=aptimus,dc=net >> objectClass: organizationalUnit >> objectClass: top >> ou: policies >> >> dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net >> objectClass: top >> objectClass: device >> objectClass: pwdPolicy >> cn: default >> pwdAttribute: userPassword >> pwdAllowUserChange: TRUE >> pwdExpireWarning: 172800 >> pwdFailureCountInterval: 0 >> pwdGraceAuthNLimit: 0 >> pwdInHistory: 10 >> pwdLockout: TRUE >> pwdLockoutDuration: 1200 >> pwdMaxAge: 15897600 >> pwdMaxFailure: 3 >> pwdMinLength: 8 >> pwdMustChange: FALSE >> pwdSafeModify: TRUE >> >> When I built openldap, I enabled all overlays (I know, not the most >> efficient), and when I attempt to add moduleload ppolicy.la or >> ppolicy.so I get in the logs: >> >> line 18 (moduleload ppolicy.la) >> module_load: (ppolicy.la) already present (static) >> >> Which I'm pretty sure means it's already loaded... >> >> Any idea as to what I'm doing wrong? >> >> Thanks, >> - chris >> >> Chris Jacobs, Jr. Linux Administrator, Information Technology& >> Operations >> Apollo Group | Apollo Marketing | Aptimus, Inc. >> 2001 6th Ave | Ste 3200 | Seattle, WA 98121 >> phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 >> email: [email protected] >> >> >> This message is private and confidential. If you have received it in >> error, please notify the sender and remove it from your system. >> >> > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
