Question: Why am I failing to add the objectclass pwdPolicy to cn=PasswordDefaults?
Background Information
I am new to LDAP and I'm stumbling through various tutorials and other tips online to create a directory that will handle user information for me. I'm trying to create an LDAP server that will contain user information and enforce a password policy. To achieve this, I believe that I need to add the pwdPolicy objectclass to ou=Policies to my LDAP server running 2.4.40. I'm loosely following these tutorials:
{
Password Policy tutorial: https://tobrunet.ch/articles/openldap-password-policy-overlay/,
Getting started with OpenLDAP and CentOS7: https://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=1,
Default and User Specific Password Policy: http://www.zytrax.com/books/ldap/ch6/ppolicy.html
}
I have a directory laid out like this:
-> Root stuff
-> dc=example,dc=com
-> cn=Manager (The olcRootDN)
-> ou=User
-> *Several entries with objectClasses {posixAccount, shadowAccount, inetOrgPerson}*
-> ou=Policies (Not sure if this is here because not visible in Apache Directory Studio)
-> cn=passwordDefault
Here is what I have done to try to use the ppolicy.
Steps 1-3 loosely follow commands from the OpenLDAP with OLC section OpenLDAP Password Policy overlay
Step 1: Load the ppolicy schema into the OLC with this command:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
Understanding of Step 1: adds cn={5}ppolicy.ldif to /.../slap.d/cn=config/cn=schema
Step 2: Load the module with this command:
ldapadd -D "cn=config" -W -f addPpolicyOverlay.ldif
contents of addPpolicyOverlay.ldif
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: ppolicy.la
Understanding of Step 2: adds cn=module{0}.ldif to /.../slapd.d/cn=config.
Step 3: Configure the ppolicy overlay with this command:
ldapadd -D "cn=config" -W -f configurePpolicyOverlay.ldif
contents of configurePpolicyOverlay.ldif
dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=passwordDefault,ou=Policies,dc=example,dc=com
olcPPolicyHashCleartest: FALSE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
Understanding of Step 3: Makes a database and uses ppolicy overlay. Makes ou=Policies in my domain dc=example,dc=com. I am unable to explore ou=Policies in Apache Directory Studio even though I believe it is exists in dc=example,dc=com
Questions about Step 3: Do I now have a working default password policy?
Step 4: Fails to add the pwdPolicy objectclass to olcOverlay={0}ppolicy with this command:
ldapmodify -a -D "cn=config" -W -f configureDefaultPpolicy.ldif
Error:ldapmodify: invalid format (line 5) entry: "olcOverlay={0}ppolicy,cn=olcDatabase={2}hdb,cn=config"
contents of configureDefaultPpolicy.ldif
dn: olcOverlay={0}ppolicy,cn=oldDatabase={2}hdb,cn=config]
changetype: modify
olcObjectClasses: pwdPolicy
cn=passwordDefault,ou=Policies,dc=example,dc=com
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdInHistory: 50
pwdMaxFailure: 3
pwdMinLength: 8
Questions about Step 4: http://i.imgur.com/80yPJVG.jpg (Not trusted enough to embed pictures :( )