openldap 2.4 and ppolicy

Matthew Seaman matthew at
Tue Dec 6 11:59:55 UTC 2016

On 2016/12/05 20:09, Per olof Ljungmark wrote:
> On 2016-12-05 11:00, Matthew Seaman wrote:
>> On 12/05/16 01:55, Per Olof Ljungmark wrote:
>>> Can someone who implemented ppolicy on FreeBSD please enlighten me on
>>> how this is done with the cn=config backend? Openldap can be really
>>> frustrating at times!
>> I've done this, and it is working exactly as designed for me.
>> You need an entry similar to this:
>> dn: olcOverlay={5}ppolicy
>> objectClass: olcOverlayConfig
>> objectClass: olcPPolicyConfig
>> olcOverlay: {5}ppolicy
>> olcPPolicyDefault: cn=Default Password Policy,ou=Policy,dc=example,dc=com
>> olcPPolicyHashCleartext: TRUE
>> olcPPolicyUseLockout: TRUE
>> olcPPolicyForwardUpdates: FALSE
>> structuralObjectClass: olcPPolicyConfig
>> Located at
>> cn=config/olcDatabase={1}mdb
>> This tells LDAP to load the ppolicy overlay.
>> Here olcDatabase {0} is the config tree read from
>> ${LOCALBASE}/etc/openldap/slapd.d/ with olcDatabase {1} being our LDAP tree.
>> Then you need to define your password policy at the specified DN within
>> your main LDAP tree.
> Hi Matthew,
> I have gotten to a point very close to what you posted, however, I
> cannot add
> objectClass: olcOverlayConfig
> that returns an "unwilling to perform" error. Are your overlays
> statically compiled or dynamic?
> Cheers,
> //per

These are the OPTIONS settings we use:

# poudriere options -z server -s net/openldap24-server
[00:00:00] ====>> Appending to make.conf:
===> The following configuration options are available for
     ACCESSLOG=on: With In-Directory Access Logging overlay
     ACI=off: Per-object ACI (experimental)
     AUDITLOG=on: With Audit Logging overlay
     BDB=off: With BerkeleyDB backend (DEPRECATED)
     COLLECT=on: With Collect overy Services overlay
     CONSTRAINT=on: With Attribute Constraint overlay
     DDS=on: With Dynamic Directory Services overlay
     DEBUG=off: Build with debugging support
     DEREF=on: With Dereference overlay
     DNSSRV=on: With Dnssrv backend
     DYNACL=off: Run-time loadable ACL (experimental)
     DYNAMIC_BACKENDS=on: Build dynamic backends
     DYNGROUP=on: With Dynamic Group overlay
     DYNLIST=on: With Dynamic List overlay
     FETCH=off: Enable fetch(3) support
     GSSAPI=off: With GSSAPI support (implies SASL support)
     LMPASSWD=off: With LM hash password support (DEPRECATED)
     MDB=on: With Memory-Mapped DB backend
     MEMBEROF=on: With Reverse Group Membership overlay
     ODBC=off: With SQL backend
     OUTLOOK=off: Force caseIgnoreOrderingMatch on name attribute
     PASSWD=off: With Passwd backend
     PERL=off: With Perl backend
     PPOLICY=on: With Password Policy overlay
     PROXYCACHE=on: With Proxy Cache overlay
     REFINT=on: With Referential Integrity overlay
     RELAY=off: With Relay backend
     RETCODE=on: With Return Code testing overlay
     RLOOKUPS=on: With reverse lookups of client hostnames
     RWM=on: With Rewrite/Remap overlay
     SASL=off: With (Cyrus) SASL2 support
     SEQMOD=on: With Sequential Modify overlay
     SHA2=on: With SHA2 Password hashes overlay
     SHELL=off: With Shell backend (disables threading)
     SLAPI=off: With Netscape SLAPI plugin API (experimental)
     SLP=off: With SLPv2 (RFC 2608) support
     SMBPWD=off: With Samba Password hashes overlay
     SOCK=off: With Sock backend
     SSSVLV=on: With ServerSideSort/VLV overlay
     SYNCPROV=on: With Syncrepl Provider overlay
     TCP_WRAPPERS=off: With tcp wrapper support
     TRANSLUCENT=on: With Translucent Proxy overlay
     UNIQUE=on: With attribute Uniqueness overlay
     VALSORT=on: With Value Sorting overlay

Judging by the output of 'pkg info -l openldap-server' it looks like we
have dynamically loadable back-ends and a dynamically loadable pw-sha2
module, but all of the other overlays are compiled in.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-ports mailing list