We have working installation of OpenLDAP version 2.4 which is using shadowAccount attributes. I want to enable ppolicy overlays.
I have gone through the steps provided at OpenLDAP and ppolicy howto. I have made the changes to slapd.conf and imported the password policy.
On restart OpenLDAP is working fine and I can see the password policy when I do a ldapsearch.
The user object looks like given below.
# extended LDIF
#
# LDAPv3
# base <dc=xxxxx,dc=in> with scope subtree
# filter: uid=testuser
# requesting: ALL
#
# testuser, People, xxxxxx.in
dn: uid=testuser,ou=People,dc=xxxxx,dc=in
uid: testuser
cn: testuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 90
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 569
gidNumber: 1005
homeDirectory: /data/testuser
userPassword:: xxxxxxxxxxxxx
shadowLastChange: 15079
The password policy is given below.
# default, policies, xxxxxx.in
dn: cn=default,ou=policies,dc=xxxxxx,dc=in
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 0
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
I do not what should be done after this. How can the shadowAccount attributes be replaced with the password policy.
Best Answer
shadowAccountattributes have nothing to do with the password policies. Password policies (which themselves are based on a draft RFC and could change tomorrow or die completely) are managed the server. The shadow stuff is managed by LDAP clients. For example, the password policies allow the server to enforce password history and quality on the server side, but clients must handle theshadowAccountstuff.