Date: Mon, 5 Dec 2016 21:09:01 +0100 From: Per olof Ljungmark <peo@intersonic.se> To: Matthew Seaman <matthew@FreeBSD.org>, freebsd-ports@freebsd.org Subject: Re: openldap 2.4 and ppolicy Message-ID: <fe71363b-9afc-fb9a-5571-4eed7cd88b10@intersonic.se> In-Reply-To: <73ad7c1c-3d2d-ee6b-768f-6c65a6728303@freebsd.org> References: <B06CFFBF-8418-41D1-8802-A34A8BB5DDE9@intersonic.se> <73ad7c1c-3d2d-ee6b-768f-6c65a6728303@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2016-12-05 11:00, Matthew Seaman wrote: > On 12/05/16 01:55, Per Olof Ljungmark wrote: >> Can someone who implemented ppolicy on FreeBSD please enlighten me on >> how this is done with the cn=config backend? Openldap can be really >> frustrating at times! > > I've done this, and it is working exactly as designed for me. > > You need an entry similar to this: > > dn: olcOverlay={5}ppolicy > objectClass: olcOverlayConfig > objectClass: olcPPolicyConfig > olcOverlay: {5}ppolicy > olcPPolicyDefault: cn=Default Password Policy,ou=Policy,dc=example,dc=com > olcPPolicyHashCleartext: TRUE > olcPPolicyUseLockout: TRUE > olcPPolicyForwardUpdates: FALSE > structuralObjectClass: olcPPolicyConfig > > Located at > > cn=config/olcDatabase={1}mdb > > This tells LDAP to load the ppolicy overlay. > > Here olcDatabase {0} is the config tree read from > ${LOCALBASE}/etc/openldap/slapd.d/ with olcDatabase {1} being our LDAP tree. > Then you need to define your password policy at the specified DN within > your main LDAP tree. Hi Matthew, I have gotten to a point very close to what you posted, however, I cannot add objectClass: olcOverlayConfig that returns an "unwilling to perform" error. Are your overlays statically compiled or dynamic? Cheers, //per
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fe71363b-9afc-fb9a-5571-4eed7cd88b10>