openldap 2.4 and ppolicy

Per olof Ljungmark peo at
Mon Dec 5 20:09:17 UTC 2016

On 2016-12-05 11:00, Matthew Seaman wrote:
> On 12/05/16 01:55, Per Olof Ljungmark wrote:
>> Can someone who implemented ppolicy on FreeBSD please enlighten me on
>> how this is done with the cn=config backend? Openldap can be really
>> frustrating at times!
> I've done this, and it is working exactly as designed for me.
> You need an entry similar to this:
> dn: olcOverlay={5}ppolicy
> objectClass: olcOverlayConfig
> objectClass: olcPPolicyConfig
> olcOverlay: {5}ppolicy
> olcPPolicyDefault: cn=Default Password Policy,ou=Policy,dc=example,dc=com
> olcPPolicyHashCleartext: TRUE
> olcPPolicyUseLockout: TRUE
> olcPPolicyForwardUpdates: FALSE
> structuralObjectClass: olcPPolicyConfig
> Located at
> cn=config/olcDatabase={1}mdb
> This tells LDAP to load the ppolicy overlay.
> Here olcDatabase {0} is the config tree read from
> ${LOCALBASE}/etc/openldap/slapd.d/ with olcDatabase {1} being our LDAP tree.
> Then you need to define your password policy at the specified DN within
> your main LDAP tree.

Hi Matthew,

I have gotten to a point very close to what you posted, however, I
cannot add
objectClass: olcOverlayConfig
that returns an "unwilling to perform" error. Are your overlays
statically compiled or dynamic?



More information about the freebsd-ports mailing list