How to set Maximum Password Expiry in OpenLDAP Linux

Question

I am trying to find how to change some password policy settings in OpenLDAP (on a system-wide level, not on a per user level) such that all LDAP account users (i.e., existing and new users) have their passwords to expire after 90 days.

I know the main parameter that controls this is the maxPasswdAge parameter but I am not sure how to set this. I have tried different ldapmodify options but it fails:

ldapmodify -W -x -D "cn=Manager,dc=mydomain,dc=local" -f test.ldif 

dn: cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com
changetype: modify
replace: pwdMaxAge
pwdMaxAge: 7776000

The error message was ..

modifying entry "cn=pwdpoilicyentry,cn=common,cn=products,cn=Oraclecontext,dc=mydomain,dc=com"
ldapmodify :no such object(32)

matched DN: dc=mydomain,dc=com

My questions are

Are there any alternatives to doing this, for example: just change a setting manually somewhere in some configuration file and restart the LDAP server.

Are there any services that need to be bounced once this is done?

How is the system using LDAP to pull this information? Is pam-ldap or nss-ldap being used? — Tim, Jan 13 '12 at 14:42

score 0 · Answer 1 · answered Dec 02 '11 at 13:11

0

It looks like you may be missing entries in the tree to the policy entry.

You will need to load the slapo-ppolicy overlay. The man page for the module specifies what you need to setup. I find the Ztrax documentation useful as well.

answered Dec 02 '11 at 13:11

BillThor

27,737
3
37
69

Thanks for your help but i think i already have slapo-overlay, any other thoughts please – Dominiqs Feb 21 '12 at 18:24

score 0 · Answer 2 · answered Nov 10 '15 at 11:21

The tool to achieve what you need is ppolicy.

This a multi-step task involving:

a module add;
a schema add;
a overlay add to a given database (it also defines which policy entry is the default policy);
one or more entry adds which define the password policies (one can be the default policy).

In the entry defined at step 4 you can modify the pwdMaxAge attribute.

score -2 · Answer 3 · answered Jan 16 '12 at 14:26

-2

Your "user" entry in the LDAP directory needs to have 2 attributes:

passwordExp: on
passwordMaxAge: 8640000

8640000 = 100 days.

answered Jan 16 '12 at 14:26

Tim

3,017
17
15

Tim Thanks very much but how do you change these attributes , what command will you use exactly – Dominiqs Jan 17 '12 at 15:00
Tim, still havent found out how to do this , i have had no solution or reply , any more suggestions .How do i set these attributes please – Dominiqs Mar 13 '12 at 10:21
which directory or config file are we talking about openldap.conf – Dominiqs Mar 23 '12 at 14:30
It's not OpenLDAP related. Maybe it's a setting found on: Sun ONE Directory Server – 473183469 Nov 10 '15 at 11:08
Tim, the question is about OpenLDAP: these are not valid OpenLDAP attributes. – user207421 Dec 05 '16 at 23:29

How to set Maximum Password Expiry in OpenLDAP Linux

3 Answers3

Linked

Related