Password policies can be added to OpenLDAP with the ppolicy overlay.
Use the following steps to add the overlay to an OpenLDAP server with dynamic backend.
Create the following LDIF to add the ppolicy module:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
and add the following LDIF for configuration of the module:
dn: olcOverlay={5}ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {5}ppolicy
olcPPolicyDefault: cn=Default,ou=Policies,dc=example,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
Please make sure the ou=Policies is already created before adding the above LDIF.
The following LDIF can be used to add the default policy:
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: Default
sn: Default
pwdAttribute: userPassword
pwdCheckQuality: 0
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 6
pwdInHistory: 5
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE
Now the policy is active for all users.
When you change the password of a user the minimum length should be 5 characters.
Make sure the user is able to change his/her password.
If this is not possible add the following value to the olcAccess attribute in hdb config section.
to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none