Notes for configuring pwdpolicy on openldap 2.4.
### loading the module is mostly not required - it's already loaded # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif ### lets create a new OU for policies $ cat >polou.ldif<<EOF dn: ou=policies,dc=fluxcoil,dc=net objectClass: top objectClass: organizationalUnit ou: policies description: My Organization policies come here EOF $ ldapadd -D cn=manager,dc=fluxcoil,dc=net -w secret -f polou.ldif ### add ppolicy $ cat >ppmodule.ldif<<EOF dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModuleLoad: ppolicy EOF $ ldapadd -Y EXTERNAL -H ldapi:/// -f ppmodule.ldif ### add the pwdoverlay, our database here is bdb $ cat >pwdpolicyoverlay.ldif<<EOT dn: olcOverlay={0}ppolicy,olcDatabase={2}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=fluxcoil,dc=net EOT $ ldapadd -Y EXTERNAL -H ldapi:/// -f pwdpolicyoverlay.ldif ### add password policy $ cat >passwordpolicy.ldif<<EOF dn: cn=default,ou=policies,dc=fluxcoil,dc=net cn: default objectClass: pwdPolicy objectClass: device objectClass: top pwdAttribute: 2.5.4.35 pwdMaxAge: 3024000 pwdExpireWarning: 1814400 pwdInHistory: 4 pwdCheckQuality: 1 pwdMinLength: 9 pwdMaxFailure: 4 pwdLockout: TRUE pwdLockoutDuration: 600 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE EOF $ ldapadd -D cn=manager,dc=fluxcoil,dc=net -w secret -f passwordpolicy.ldif ### verify config $ ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={2}bdb,cn=config