Chapter 7. Managing User Accounts and Passwords

dn: cn="cn=nsPwPolicyEntry,uid=jdoe,ou=people,dc=example,dc=com",

cn=nsPwPolicyContainer,ou=people,dc=example,dc=com

objectclass: top

objectclass: extensibleObject

objectclass: ldapsubentry

objectclass: passwordpolicy

3.Assign the value of the above entry DN to the pwdpolicysubentry attribute of the target entry. For example, this assigns the password policy to the user entry:

dn: uid=jdoe,ou=people,dc=example,dc=com

changetype: modify

replace: pwdpolicysubentry pwdpolicysubentry: "cn=nsPwPolicyEntry,uid=jdoe,ou=people,dc=example,dc=com",

cn=nsPwPolicyContainer,ou=people,dc=example,dc=com

4.Set the password policy attributes of subtree or user entry with the appropriate values.

Table 7.1, “Password Policy Attributes” describes the attributes available to configure the password policy. The ldapmodify utility can be used to change these attributes in the cn=config entry.

NOTE

The nsslapd-pwpolicy-localattribute of the cn=config entry controls the type of password policy the server enforces. By default, this attribute is disabled (off). When the attribute is disabled, the server only checks for and enforces the global password policy; the subtree and user level password policies are ignored. When the ns-newpwpolicy.plscript runs, it first checks for the specified subtree and user entries and, if they exist, modifies them. After updating the entries successfully, the script sets the nsslapd-pwpolicy-localconfiguration parameter to on. If the subtree and user level password policy should not be enabled, be sure to set nsslapd-pwpolicy-localto off after running the script.

To turn off user and subtree level password policy checks, set the nsslapd-pwpolicy-localattribute to off by modifying the cn=config entry. For example: 1

1The LDAP tools referenced in this guide are Mozilla LDAP, installed with Directory Server in the

/usr/lib/mozldap directory on Red Hat Enterprise Linux 5 i386; directories for other platforms are listed in Section 2, “LDAP Tool Locations”. However, Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP. It is possible to use the OpenLDAP commands as shown in the examples, but you must use the -xargument to disable SASL and allow simple authentication.

254

Page 274
Image 274
HP UX Red Hat Direry Server Software manual 254