2

If I do this, it is applicable to all users.

ldapadd -v -H "ldaps://hostName/" -x -W -D cn=admin,dc=mydomain,dc=com -f pwdMaxAge.ldif 

dn: cn=passwordDefault,ou=Policies,dc=mydomain,dc=com
changetype: modify
replace: pwdMaxAge
pwdMaxAge: 3000

Tried the below ldif to set pwdMaxAge for an existing user:

ldapadd -v -H "ldaps://hostName/" -x -W -D cn=admin,dc=mydomain,dc=com -f pwdMaxAge_user.ldif

dn: cn=test2,ou=Users,dc=mydomain,dc=com
objectClass: device
objectClass: pwdPolicy
objectClass: top
pwdAttribute: userPassword
cn: test2
uid: test2
pwdMaxAge: 300

It gives:

ldap_initialize( ldaps://hostName:636/??base )
add objectClass:
    device
    pwdPolicy
    top
add pwdAttribute:
    userPassword
add cn:
    test2
add pwdMaxAge:
    300
adding new entry "cn=test2,ou=Users,dc=mydomain,dc=com"
ldap_add: Object class violation (65)
    additional info: attribute 'uid' not allowed

It adds a new CN if i remove UID. but doesn't help setting the pwdMaxAge for the user. how do i set it correctly?

Edit: Started creating individual policies: cat ppolicy_individual.ldif

dn: cn=fin_user,ou=Policies,dc=mydomain,dc=com
objectClass: device
objectClass: pwdPolicy
cn: fin_user
pwdAttribute: userPassword
pwdMaxAge: 300
pwdInHistory: 0
pwdMaxFailure: 0
pwdLockout: FALSE
pwdMinLength: 0
pwdSafeModify: FALSE

cat pwdPolicySubentry.ldif

dn: cn=test2,ou=Users,dc=mydomain,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry:  cn=fin_user,ou=Policies,dc=mydomain,dc=com

# ldapmodify -v -H "ldaps://hostName/" -x -W -D cn=admin,dc=mydomain,dc=com -f pwdPolicySubentry.ldif 
ldap_initialize( ldaps://hostName:636/??base )
add pwdPolicySubentry:
    cn=fin_user,ou=Policies,dc=mydomain,dc=com
modifying entry "uid=test2,ou=Users,dc=mydomain,dc=com"
modify complete

But it doesn't seem to make any difference.

james
  • 33
  • 4

1 Answers1

0

The generic error "Object class violation , attribute 'attribute_name' not allowed" means that you're trying to set an attribute that is not not defined in the ObjectClasses available for that entry.

In other words, you first need to add an ObjectClass that provides the attribute, before you can set it. The uid attribute is provided by a number of different object classes.

From https://ldapwiki.com/wiki/Uid

uid is used as MUST (a required attribute when using that object class) in:

  • posixAccount
  • shadowAccount
  • sambaSamAccount
  • dicAppInfo

Used MAY in:

  • Person
  • organizationalPerson
  • inetOrgPerson

But selecting and using one of those Object classes will not only make the uid available, they will usually also require other attributes to be set. So pick with care

When you amend your ldif and try for instance the posixAccount object class 

dn: cn=test2,ou=Users,dc=mydomain,dc=com
objectClass: device
objectClass: pwdPolicy
objectClass: top
objectClass: PosixAccount
pwdAttribute: userPassword
cn: test2
uid: test2
pwdMaxAge: 300

And you will also need to set the uidNumber , gidNumber and homeDirectory

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • sorry, adding `PosixAccount`, `uidNumber` other attributes didn't help. After some research, looks like i'll have to use `pwdPolicySubentry` to get it working - http://www.zytrax.com/books/ldap/ch6/ppolicy.html – james Sep 20 '19 at 12:35