Thank you for your reply. But then how can I use this:
dn: cn=search,ou=users,ou=my_dn changetype: modify add: pwdPolicySubentry pwdPolicy: "cn=user,ou=pwpolicies,ou=my_dn" I want to exclude user: search from default policy >From docs: Finally the account entry for the user(s) to whom this policy applies are modified to point to the specific policy using the following LDIF fragment: # point the users entry to the specific policy dn: cn=John Smith,ou=people,dc=example,dc=com changetype: modify add: pwdPolicySubentry pwdPolicy: "cn=user,ou=pwpolicies,dc=example,dc=com" ------------------------------------------------------------------------ ---- When I tried run it in my LDAP browser I got: Line 4, Column 0: Unexpected line found: 'pwdPolicy: "cn=user,ou=pwpolicies,ou=my_dn"'. Line 4, Column 0: The 'add' modification operation must have at least one value specified (Attribute: 'pwdPolicySubentry'). Line 4: Unexpected end of LDIF file. The last record will not be committed. Import data complete. Elapsed time: 0:00. Entries processed: 0. Warning(s): 0, error(s): 3. Can you please tell may be another way, how to exclude user:search from: dn: cn=std, ou=ppolicy, ou=my_dn pwdCheckModule: check_password.so pwdMaxFailure: 6 pwdMustChange: TRUE pwdAttribute: userPassword pwdMinLength: 7 pwdSafeModify: FALSE pwdInHistory: 4 pwdGraceAuthNLimit: 3 pwdCheckQuality: 1 objectClass: pwdPolicy objectClass: top objectClass: device objectClass: pwdPolicyChecker pwdLockoutDuration: 18 pwdAllowUserChange: TRUE pwdExpireWarning: 432000 pwdLockout: TRUE pwdMaxAge: 7776000 Thank you -----Original Message----- From: Howard Chu [mailto:[email protected]] Sent: Friday, January 21, 2011 9:36 AM To: Alexey Shalin Cc: [email protected] Subject: Re: How to enable 'pwdPolicySubentry' in ppolicy.schema Alexey Shalin wrote: > Hello, > > How to enable 'pwdPolicySubentry' in ppolicy.schema, I added this into > ppolicy.schema Never modify the schema files distributed with OpenLDAP. > attributetype ( 1.3.6.1.4.1.42.2.27.8.1.23 > > NAME 'pwdPolicySubentry' > > DESC 'The pwdPolicy subentry in effect for this object' > > EQUALITY distinguishedNameMatch > > SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > > SINGLE-VALUE > > USAGE directoryOperation ) > > But after that my slapd do not started. Of course. Schema files are only for defining user attributes. Operational attributes must be implemented in code and cannot be defined from a schema config file. This particular attribute is already implemented in the ppolicy overlay so there is no need to define it again anyway. > should I upgrade openldap to the last ver ? That would make no difference here, but it's always best to stay up to date. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ __________ Information from ESET NOD32 Antivirus, version of virus signature database 5804 (20110120) __________ The message was checked by ESET NOD32 Antivirus. http://www.esetnod32.ru/.ml __________ Information from ESET NOD32 Antivirus, version of virus signature database 5804 (20110120) __________ The message was checked by ESET NOD32 Antivirus. http://www.esetnod32.ru/.ml
