Has anyone gotten this to work? I have been pulling my hair out trying to get it to work. I can see the policy being accessed in the logs but it doesn't seem to take.

I created an olc config using this slapd.conf:

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/ppolicy.schema

pidfile /var/run/slapd/slapd.pid

argsfile /var/run/slapd/slapd.args

loglevel 255

modulepath /usr/lib/ldap
moduleload back_hdb
moduleload ppolicy

sizelimit 500

tool-threads 1

backend hdb


database frontend

database config
rootdn "cn=admin,cn=config"
rootpw "{SSHA}KR95GWjJ3wPKu/B4g/aIRJEy8T+BNLTg"

database hdb
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=mydomain,dc=local"

suffix "dc=mydomain,dc=local"

rootdn "cn=admin,dc=mydomain,dc=local"
rootpw "{SSHA}KR95GWjJ3wPKu/B4g/aIMFEy8T+BJ7Tg"

directory "/var/lib/ldap"


dbconfig set_cachesize 0 2097152 0


dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

index objectClass eq

lastmod on

checkpoint 512 30

access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=mydomain,dc=local" write
by anonymous auth
by self auth
by self write
by * none

access to dn.base="" by * read

access to *
by dn="cn=admin,dc=mydomain,dc=local" write
by * read

---
Any help would be appreciated

I've been using it successfully on a mix of Debian, Ubuntu, and Scientific Linux systems. Have you defined your DN "cn=default,ou=policies,dc=mydomain,dc=local"? What is the definition of the policy? What do you mean by "it doesn't seem to take"?

At my site, what I do is define a ppolicy_subentry pointing to the appropriate DN within every user DN. I've never tried specifying a default policy entry, and I'm not sure if that works. You might try explicitly setting the ppolicy_subentry for a test user and see if that works.

Hi btmiller,

Thanks for the reply! This is the only life line I've been thrown. Yes, I did define "cn=default,ou=policies,dc=mydomain,dc=local". Here is the policy:

dn: cn=default,ou=policies,dc=mydomain,dc=local
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
structuralObjectClass: device
entryUUID: 29977c86-b74c-1033-8432-5db15c0b2efc
creatorsName: cn=admin,dc=mydomain,dc=local
createTimestamp: 20140813154223Z
pwdMinLength: 10
cn: default
pwdCheckQuality: 2
pwdSafeModify: TRUE
entryCSN: 20140822193458.399642Z#000000#000#000000
modifiersName: cn=admin,dc=mydomain,dc=local
modifyTimestamp: 20140822193458Z

Do you mean you define pwdPolicySubentry? So you add the pwdPolicy objectClass to the user? Here is my test user from slapcat:

dn: uid=test3,ou=people,dc=mydomain,dc=local
cn: test3
homeDirectory: /export/home/test3
objectClass: account
objectClass: posixAccount
objectClass: pwdPolicy
objectClass: top
pwdAttribute: userPassword
uid: test3
structuralObjectClass: account
entryUUID: ca1c9f9c-bdbe-1033-90f0-f5d9e2776829
creatorsName: cn=admin,dc=mydomain,dc=local
createTimestamp: 20140821203801Z
gidNumber: 22005
uidNumber: 22005
loginShell: /bin/bash
pwdHistory: 20140822193600Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$gTd/gXK
q$QRfswr9k2H2vfGkEPsVcu0
pwdHistory: 20140822195151Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$DHYNDbF
b$yaMTEfQnuDpU/Ul.ukuqI.
pwdHistory: 20140822195658Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$pi0ickt
w$nNOYrtvm2efL1mxxu5JHI0
pwdMinLength: 10
pwdPolicySubentry: cn=default,ou=policies,dc=mydomain,dc=local
userPassword:: e2NyeXB0fSQxJFFBS05FSVkxJEFFMDcydUJXVy5SVjRIVHJtY1hmVzA=
pwdChangedTime: 20140822195658Z
entryCSN: 20140822195658.689785Z#000000#000#000000
modifiersName: cn=admin,dc=mydomain,dc=local
modifyTimestamp: 20140822195658Z

dn: cn=test3,ou=groups,dc=mydomain,dc=local
cn: test3
gidNumber: 22005
objectClass: posixGroup
objectClass: top
structuralObjectClass: posixGroup
entryUUID: fd91fafc-bdbe-1033-90f1-f5d9e2776829
creatorsName: cn=admin,dc=mydomain,dc=local
createTimestamp: 20140821203928Z
entryCSN: 20140821203928.288183Z#000000#000#000000
modifiersName: cn=admin,dc=mydomain,dc=local
modifyTimestamp: 20140821203928Z

I've tried this with and without the pwdPolicy objectClass being added and I've basically been testing password length. It accepts anything of 6 character or more.