These slapd.conf configuration options apply to the ppolicy
overlay. They should appear after the overlay directive.
ppolicy_default <policyDN>
Specify the DN of the pwdPolicy object to use when no
specific policy is set on a given user's entry. If there
is no specific policy for an entry and no default is
given, then no policies will be enforced.
ppolicy_forward_updates
Specify that policy state changes that result from Bind
operations (such as recording failures, lockout, etc.) on
a consumer should be forwarded to a provider instead of
being written directly into the consumer's local database.
This setting is only useful on a replication consumer, and
also requires the updateref setting and chain overlay to
be appropriately configured.
ppolicy_hash_cleartext
Specify that cleartext passwords present in Add and Modify
requests should be hashed before being stored in the
database. This violates the X.500/LDAP information model,
but may be needed to compensate for LDAP clients that
don't use the Password Modify extended operation to manage
passwords. It is recommended that when this option is
used that compare, search, and read access be denied to
all directory users.
ppolicy_use_lockout
A client will always receive an LDAP InvalidCredentials
response when Binding to a locked account. By default,
when a Password Policy control was provided on the Bind
request, a Password Policy response will be included with
no special error code set. This option changes the
Password Policy response to include the AccountLocked
error code. Note that sending the AccountLocked error code
provides useful information to an attacker; sites that are
sensitive to security issues should not enable this
option.
ppolicy_send_netscape_controls
If set, ppolicy will send the password policy expired
(2.16.840.1.113730.3.4.4) and password policy expiring
(2.16.840.1.113730.3.4.5) controls when appropriate. The
controls are not sent for bind requests where the Password
policy control has already been requested. Default is not
to send the controls.
ppolicy_check_module <path>
Specify the path of a loadable module containing a
check_password() function for additional password quality
checks. The use of this module is described further below
in the description of the pwdPolicyChecker objectclass.
Note: The user-defined loadable module must be in slapd's
standard executable search PATH, or an absolute path must
be provided.
Note: Use of a ppolicy_check_module is a non-standard
extension to the LDAP password policy proposal.
