The ppolicy overlay depends on the pwdPolicy object class. The
definition of that class is as follows:
( 1.3.6.1.4.1.42.2.27.8.2.1
NAME 'pwdPolicy'
AUXILIARY
SUP top
MUST ( pwdAttribute )
MAY (
pwdMinAge $ pwdMaxAge $ pwdInHistory $
pwdCheckQuality $ pwdMinLength $ pwdMaxLength $
pwdExpireWarning $ pwdGraceAuthnLimit $
pwdGraceExpiry $ pwdLockout $ pwdLockoutDuration $
pwdMaxFailure $ pwdFailureCountInterval $
pwdMustChange $ pwdAllowUserChange $
pwdSafeModify $ pwdMaxRecordedFailure $
pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) )
The pwdPolicy class is not structural, and so entries using it
require another, structural, object class. The namedPolicy
object class is a good choice. namedPolicy requires a cn
attribute, suitable as the policy entry's rDN.
This implementation also provides an additional pwdPolicyChecker
objectclass, used for password quality checking (see below).
( 1.3.6.1.4.1.4754.2.99.1
NAME 'pwdPolicyChecker'
AUXILIARY
SUP top
MAY ( pwdCheckModule $ pwdCheckModuleArg $
pwdUseCheckModule ) )
Every account that should be subject to password policy control
should have a pwdPolicySubentry attribute containing the DN of a
valid pwdPolicy entry, or they can simply use the configured
default. In this way different users may be managed according to
different policies.
