Attaching a Password Policy to Group

This topic has 4 replies, 4 voices, and was last updated 3 years, 9 months ago by [email protected].

  • Author
  • #4641
     Brad Tumy

    I am having an issue when assigning a new policy to a group. After assigning the policy to the group and adding a user to the group I am expecting to see the policy name when searching for the user and specifying the pwdPolicySubentry attribute, but that attribute becomes null. Before adding the user (and when removing the user) from the group pwdPolicySubentry has the Default Password Policy as a value.

    Here are the steps:

    1. Create the Group:
    dn: cn=All Staff Group,ou=Groups,dc=example,dc=net
    objectClass: groupOfUniqueNames
    objectClass: mailGroup
    objectClass: top
    cn: All Staff Group
    mail: [email protected]
    description: All Staff Group – NO EMAIL ALLOWED
    ou: Groups
    uniqueMember: [email protected],ou=Staff,ou=People,dc=example,dc=net

    2. Create the Password Policy
    dn: cn=PTA Policy,cn=Password Policies,cn=config
    objectClass: ds-cfg-authentication-policy
    objectClass: ds-cfg-ldap-pass-through-authentication-policy
    objectClass: top
    cn: PTA Policy
    ds-cfg-java-class: org.opends.server.extensions.LDAPPassThroughAuthenticatio
    ds-cfg-mapping-policy: mapped-search
    ds-cfg-use-password-caching: false
    ds-cfg-mapped-attribute: mail
    ds-cfg-mapped-search-base-dn: o=example
    ds-cfg-mapped-search-bind-dn: cn=ldap3,ou=technologysvcs,o=example
    ds-cfg-mapped-search-bind-password: xxxx

    3. Assign the policy to the group
    dn: cn=PTA Policy for All Staff2,dc=example,dc=net
    objectClass: collectiveAttributeSubentry
    objectClass: extensibleObject
    objectClass: subentry
    objectClass: top
    cn: PTA Policy for All Staff2
    ds-pwp-password-policy-dn;collective: cn=PTA Policy,cn=Password Policies, cn=config
    subtreeSpecification: { base “ou=People”, specificationFilter “(isMemberOf=cn=All Staff,ou=Groups,dc=example,dc=net)”}

    4. Search Result
    When the user is in the All Staff Group:
    ./ldapsearch –port 1389 –bindDN “cn=Directory Manager” –baseDN “ou=Staff,ou=People,dc=excample,dc=net” “(uid=btum*)” pwdPolicySubentry
    Password for user ‘cn=Directory Manager’:
    dn: [email protected],ou=Staff,ou=People,dc=example,dc=net

    When the user is removed from the All Staff Group:
    ./ldapsearch –port 1389 –bindDN “cn=Directory Manager” –baseDN “ou=Staff,ou=People,dc=example,dc=net” “(uid=btum*)” pwdPolicySubentry
    Password for user ‘cn=Directory Manager’:
    dn: [email protected],ou=Staff,ou=People,dc=example,dc=net
    pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config

    I appreciate any pointers on what I may have done wrong.

    Brad Tumy

     Mike Woodburne

    Hi Brad

    You haven’t done anything wrong. You are assigning an authentication policy and not a password policy, even though you use the ds-pwp-password-policy-dn attribute to set it. OpenDJ does not return a specific value for the pwdPolicySubentry for authentication policies.

    As for how to verify that it has been properly set, I’m not too sure there – I usually just test that the pass through authentication is working correctly and then grab a beer.


     Brad Tumy

    Cool, thanks Mike. I noticed the same results when I tried to assign an actual password policy as well. I’ll just test the PTA and follow the rest of your advice as well ;-)


    Yes, there are 2 authentication policy types and they are exclusive : either PTA or Password Policy.
    When assigning a PTA, the entry no longer has a password policy since the password is supposed to be handled elsewhere, in another server.


    This reply has been reported for inappropriate content.

    Hi all,
    Is there any way to apply PTA policy for an OU level instead of group.
    The following configuration I have done to assign the password policy to an OU:
    dn: cn=AD PTA Policy,dc=diam,dc=example,dc=com
    objectClass: collectiveAttributeSubentry
    objectClass: extensibleObject
    objectClass: subentry
    objectClass: top
    cn: AD PTA Policy
    ds-pwp-password-policy-dn;collective: cn=AD PTA Policy,cn=Password Policies,cn=config
    subtreeSpecification: { base “ou=People”, specificationFilter “(ou=PTA,dc=diam,dc=example,dc=com)”}

    But When I try to search the user am getting the invalid credential response.But, I assigned the PTA to specific user present under the same OU and am able to find the user data.

    Also,Please let us know how to get the assigned policy using LDAPsearch command.In this scenario, I want to search dn: cn=AD PTA Policy,dc=example,dc=com

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?