Thanks for the tip. I added the pwdPolicySubentry to one user but it did not work, the attribute is not listed for the user.
I read that this attribute has to be enabled in the ppolicy schema?? I looked at my ppolicy schema which is located here: /etc/openldap/slapd.d/cn=config/cn=schema/cn={3}ppolicy.ldif HOWEVER I did not find pwdPolicySubentry. What version of openldap is your suggestion based of? I’m running v2.4.39. Thanks, Liz From: Craig White <cwh...@skytouchtechnology.com<mailto:cwh...@skytouchtechnology.com>> Date: Monday, October 5, 2015 at 2:41 PM To: Elizabeth Real Chavez <elizabeth.r...@jpl.nasa.gov<mailto:elizabeth.r...@jpl.nasa.gov>>, Michael Ströder <mich...@stroeder.com<mailto:mich...@stroeder.com>>, "openldap-technical@openldap.org<mailto:openldap-technical@openldap.org>" <openldap-technical@openldap.org<mailto:openldap-technical@openldap.org>> Subject: RE: Allow users to change ldap password with passwd From: openldap-technical [mailto:openldap-technical-boun...@openldap.org] On Behalf Of Real, Elizabeth (392K) Sent: Monday, October 05, 2015 1:18 PM To: Michael Ströder; openldap-technical@openldap.org<mailto:openldap-technical@openldap.org> Subject: Re: Allow users to change ldap password with passwd I have reinstalled openldap and applied slapo-ppolicy carefully looking at man pages and the configuration. How do I then apply this to existing openldap accounts? Thank you, Liz You need to have a ‘pwdPolicySubentry’ attribute assigned to each user and the value for that attribute would have to be a valid DN of the password policy itself. For example, below is what I used to add password policy recently – fix as needed, YMMV #!/bin/bash # # assign password policy to LDAP users for USER in `cat users`; do ldapmodify -x -D cn=rootbinddn,dc=example,dc=com -w $SOME_PASSWORD <<! dn: uid=$USER,ou=people,dc=example,dc=com changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=personnelpp,ou=Policies,dc=example,dc=com ! Done Craig