how to enable or disable users with ppolicy OpenLDAP

melive · 11-13-2012, 03:00 PM

I need a way to disable an ldap user in OpenLDAP, I'm following this answer
http://www.openldap.org/lists/openld.../msg00107.html

In my slapd.conf I have the next inf...

include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la
overlay ppolicy
ppolicy_default "cn=default,ou=pwpolicies,dc=prueba,dc=co"

Also I have this entry...

dn: cn=user,ou=pwpolicies,dc=prueba,dc=co
objectClass: pwdPolicy
objectClass: top
objectClass: person
pwdAttribute: 2.5.4.35
cn: user
pwdMaxAge: 604800
pwdInHistory: 3
pwdMaxFailure: 3
pwdLockout: TRUE
pwdMustChange: TRUE
pwdMinLength: 10
pwdSafeModify: TRUE

Now I'm trying to add:

dn: cn=pepito,cn=Users,dc=prueba,dc=co
changetype: modify
add: pwdPolicySubentry
pwdPolicy: cn=user,ou=pwpolicies,dc=prueba,dc=co

and the result is:

modifying entry "cn=pepito,cn=Users,dc=prueba,dc=co"
ldapadd: Undefined attribute type (17)
additional info: pwdPolicy: attribute type undefined

I try "pwdPolicySubentry" instead of "pwdPolicy" too but it doesn't work.

In my ppolicy.schema file I have uncommented the pwdAccountLockedTime and the pwdPolicySubentry attributetypes but nothing is working.

Anybody know what can I do? Again... please help !

bathory · 11-14-2012, 03:49 AM

Hi,

Have a look at the 2nd example here for a per user ppolicy entry.

Regards

melive · 11-14-2012, 09:17 AM

Thanks for you reply...

yes, I have followed this example too, but the problem is when I try to add this entry

dn: cn=pepito,cn=Users,dc=prueba,dc=co
changetype: modify
add: pwdPolicySubentry
pwdPolicy: cn=user,ou=pwpolicies,dc=prueba,dc=co

This is the last step in the example that you mention, I don't know what to do to solve the error.

bathory · 11-14-2012, 11:55 AM

Are you sure you're using slapd.conf or the new cn=config DIT? New versions of openldap use the cn=config approach.
In this case you need to convert the ppolicy.schema into a olcoverlay ppolicy ldif. Maybe this and/or this (under "Import Schemata"), could be of help

Regards

melive · 11-16-2012, 09:21 AM

Thanks!

You are right, I was modifying slapd.conf but my openldap configuration was taking the slapd.d conf, so I delete slapd.d then openldap takes my slapd.conf configuration.

however I was getting an error in:

dn: cn=pepito,cn=Users,dc=prueba,dc=co
changetype: modify
add: pwdPolicySubentry
pwdPolicy: cn=user,ou=pwpolicies,dc=prueba,dc=co

so I uncomment the pwdPolicySubentry and pwdAccountLockedTime attributes from ppolicy.schema and I use pwdPolicySubentry instead of pwdPolicy, also I delete this line "MUST ( pwdAttribute )" from pwdPolicy objectclass.