Thanks for the tip. I added the pwdPolicySubentry to one user but it did not
work, the attribute is not listed for the user.
I read that this attribute has to be enabled in the ppolicy schema?? I looked
at my ppolicy schema which is located here:
/etc/openldap/slapd.d/cn=config/cn=schema/cn={3}ppolicy.ldif HOWEVER I did not
find pwdPolicySubentry.
What version of openldap is your suggestion based of? I’m running v2.4.39.
Thanks,
Liz
From: Craig White
<cwh...@skytouchtechnology.com<mailto:cwh...@skytouchtechnology.com>>
Date: Monday, October 5, 2015 at 2:41 PM
To: Elizabeth Real Chavez
<elizabeth.r...@jpl.nasa.gov<mailto:elizabeth.r...@jpl.nasa.gov>>, Michael
Ströder <mich...@stroeder.com<mailto:mich...@stroeder.com>>,
"openldap-technical@openldap.org<mailto:openldap-technical@openldap.org>"
<openldap-technical@openldap.org<mailto:openldap-technical@openldap.org>>
Subject: RE: Allow users to change ldap password with passwd
From: openldap-technical [mailto:openldap-technical-boun...@openldap.org] On
Behalf Of Real, Elizabeth (392K)
Sent: Monday, October 05, 2015 1:18 PM
To: Michael Ströder;
openldap-technical@openldap.org<mailto:openldap-technical@openldap.org>
Subject: Re: Allow users to change ldap password with passwd
I have reinstalled openldap and applied slapo-ppolicy carefully looking at man
pages and the configuration.
How do I then apply this to existing openldap accounts?
Thank you,
Liz
You need to have a ‘pwdPolicySubentry’ attribute assigned to each user and the
value for that attribute would have to be a valid DN of the password policy
itself.
For example, below is what I used to add password policy recently – fix as
needed, YMMV
#!/bin/bash
#
# assign password policy to LDAP users
for USER in `cat users`; do
ldapmodify -x -D cn=rootbinddn,dc=example,dc=com -w $SOME_PASSWORD <<!
dn: uid=$USER,ou=people,dc=example,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=personnelpp,ou=Policies,dc=example,dc=com
!
Done
Craig
