Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
271272273274275276277278279280
1
The LDAP tools referenced in this guide are Mozilla LDAP, installed with Directory Server in the
/usr/lib/mozldap directory on Red Hat Enterprise Linux 5 i386; directories for other platforms are listed in
Section 2, “LDAP Tool Locations”. However, Red Hat Enterprise Linux systems also include LDAP tools from
OpenLDAP. It is possible to use the OpenLDAP commands as shown in the examples, but you must use the -x
argument to disable SASL and allow simple authentication.
dn: cn="cn=nsPwPolicyEntry,uid=jdoe,ou=people,dc=example,dc=com",
cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: ldapsubentry
objectclass: passwordpolicy
3. Assign the value of the above entry DN to the pwdpolicysubentry attribute of the target
entry. For example, this assigns the password policy to the user entry:
dn: uid=jdoe,ou=people,dc=example,dc=com
changetype: modify
replace: pwdpolicysubentry
pwdpolicysubentry:
"cn=nsPwPolicyEntry,uid=jdoe,ou=people,dc=example,dc=com",
cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
4. Set the password policy attributes of subtree or user entry with the appropriate values.
Table 7.1, “Password Policy Attributes” describes the attributes available to configure the
password policy. The ldapmodify utility can be used to change these attributes in the
cn=config entry.
NOTE
The nsslapd-pwpolicy-local attribute of the cn=config entry controls the type
of password policy the server enforces. By default, this attribute is disabled (off).
When the attribute is disabled, the server only checks for and enforces the global
password policy; the subtree and user level password policies are ignored. When
the ns-newpwpolicy.pl script runs, it first checks for the specified subtree and
user entries and, if they exist, modifies them. After updating the entries
successfully, the script sets the nsslapd-pwpolicy-local configuration
parameter to on. If the subtree and user level password policy should not be
enabled, be sure to set nsslapd-pwpolicy-local to off after running the script.
To turn off user and subtree level password policy checks, set the nsslapd-pwpolicy-local
attribute to off by modifying the cn=config entry. For example:
1
Chapter 7. Managing User Accounts and Passwords
254