Date: Mon, 5 Dec 2016 21:09:01 +0100 From: Per olof Ljungmark <peo@intersonic.se> To: Matthew Seaman <matthew@FreeBSD.org>, freebsd-ports@freebsd.org Subject: Re: openldap 2.4 and ppolicy Message-ID: <fe71363b-9afc-fb9a-5571-4eed7cd88b10@intersonic.se> In-Reply-To: <73ad7c1c-3d2d-ee6b-768f-6c65a6728303@freebsd.org> References: <B06CFFBF-8418-41D1-8802-A34A8BB5DDE9@intersonic.se> <73ad7c1c-3d2d-ee6b-768f-6c65a6728303@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2016-12-05 11:00, Matthew Seaman wrote:
> On 12/05/16 01:55, Per Olof Ljungmark wrote:
>> Can someone who implemented ppolicy on FreeBSD please enlighten me on
>> how this is done with the cn=config backend? Openldap can be really
>> frustrating at times!
>
> I've done this, and it is working exactly as designed for me.
>
> You need an entry similar to this:
>
> dn: olcOverlay={5}ppolicy
> objectClass: olcOverlayConfig
> objectClass: olcPPolicyConfig
> olcOverlay: {5}ppolicy
> olcPPolicyDefault: cn=Default Password Policy,ou=Policy,dc=example,dc=com
> olcPPolicyHashCleartext: TRUE
> olcPPolicyUseLockout: TRUE
> olcPPolicyForwardUpdates: FALSE
> structuralObjectClass: olcPPolicyConfig
>
> Located at
>
> cn=config/olcDatabase={1}mdb
>
> This tells LDAP to load the ppolicy overlay.
>
> Here olcDatabase {0} is the config tree read from
> ${LOCALBASE}/etc/openldap/slapd.d/ with olcDatabase {1} being our LDAP tree.
> Then you need to define your password policy at the specified DN within
> your main LDAP tree.
Hi Matthew,
I have gotten to a point very close to what you posted, however, I
cannot add
objectClass: olcOverlayConfig
that returns an "unwilling to perform" error. Are your overlays
statically compiled or dynamic?
Cheers,
//per
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fe71363b-9afc-fb9a-5571-4eed7cd88b10>