Openldap: Is that possible to use "userPassword" instead of "2.5.4.35" for pwdAttribute?
I am using Openldap 2.4.11 in Fedora Core 13.
I am trying to create a password policy:
dn: cn=default,ou=policies,dc=estream,dc=com,dc=my
objectClass: person
objectClass: pwdPolicy
objectClass: top
cn: default
pwdAttribute: 2.5.4.35
sn: test
If I specify pwdAttriute to "userPassword", I get an error
LDAP: error code 21 - pwdAttribute: value #0 invalid per syntax
Instead, I force to use OID for pwdAttribute:
pwdAttribute: 2.5.4.35
Is that possible to use "userPassword" instead of "2.5.4.35" for pwdAttribute?
I attempt to configure openldap to load module ppolicy.la in cn=config, but it doesn't seems to work too after restart slapd service for few times:
dn: cn=module{0},cn=config
objectClass: olcConfig
objectClass: olcModuleList
objectClass: top
cn: module{0}
olcModuleLoad: {0}/usr/lib64/openldap/ppolicy.la
Answer
Instead, I force to use OID for pwdAttribute:
You can specify either an OID or the attribute name, provided both the relevant schema and the ppolicy overlay are loaded.
Why have you got objectClass=person in there? A password policy isn't a person. It's customary to use objectClass=device as the structural class for password policies.