I am trying to find how to change some password policy settings in OpenLDAP (on a system-wide level, not on a per user level) such that all LDAP account users (i.e., existing and new users) have their passwords to expire after 90 days.
I know the main parameter that controls this is the maxPasswdAge parameter but I am not sure how to set this. I have tried different ldapmodify options
but it fails:
ldapmodify -W -x -D "cn=Manager,dc=mydomain,dc=local" -f test.ldif
dn: cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com
changetype: modify
replace: pwdMaxAge
pwdMaxAge: 7776000
The error message was ..
modifying entry "cn=pwdpoilicyentry,cn=common,cn=products,cn=Oraclecontext,dc=mydomain,dc=com"
ldapmodify :no such object(32)
matched DN: dc=mydomain,dc=com
My questions are
Are there any alternatives to doing this, for example: just change a setting manually somewhere in some configuration file and restart the LDAP server.
Are there any services that need to be bounced once this is done?
Best Answer
It looks like you may be missing entries in the tree to the policy entry.
You will need to load the
slapo-ppolicyoverlay. The man page for the module specifies what you need to setup. I find the Ztrax documentation useful as well.