-----Original Message-----
From: Howard Chu [mailto:[EMAIL PROTECTED]
Sent: Mon 8/27/2007 9:04 PM
To: Aaron Richton
Cc: Paul J. Pathiakis; [email protected]
Subject: Re: Syncrepl and proxyAgent password expiration
Aaron Richton wrote:
> I'm really not that familiar with ppolicy (we don't use it here), so
> somebody else might have more specific details. However, I'd imagine that
> you either need to modify the
>
>> ppolicy_default "cn=Standard Policy,ou=Policies,dc=eagleaccess,dc=com"
>
> using the rootdn, or you need to modify the entry
> "cn=proxyAgent,ou=Profile,dc=eagleaccess,dc=com" using the rootdn, to
> either update the proxyAgent entry (so its' password is not expired) or
> grant an exemption (in the policy) to the proxyAgent.
As noted in the slapo-ppolicy(5) manpage, you can simply set the
pwdPolicySubentry attribute of the target entry to point it at a non-default
policy. So create a new policy for the proxyAgent user that does not use
password expiration, and point the proxyAgent's pwdPolicySubentry attribute at
that new policy.
Howard,
I can't seem to find that attribute in my schemas. I'm running 2.3.36 and I'd
expect that pwdPolicySubentry would be there. What do I need to the proxyAgent
user account for objectclasses so that I get the pwdPolicySubentry included?
I'm pretty new to the password policy overlay (heck, overlay's in general).
I've deleted and recreated my proxyAgent user.
It has:
inetorgperson
posixaccount
top
pwdpolicy
shadowaccount
for its objectclasses.
I'm making the assumption that since it has pwdpolicy, it should have
pwdpolicysubentry, however, it's not part of pwdpolicy as defined in the man
page and it's supposed to be accessible from the entry that I'm creating. I
guess that a user account is not what I want or is?
Thank you for any insight. (BTW, the man page was cool. :-) )
Paul Pathiakis
