Assigning a password policy using a virtual attribute
About this task
You can automatically assign a custom password policy for a set of users using a virtual attribute. You can configure the virtual attribute so that it uses a range of criteria for selecting the entries for which the virtual attribute should appear.
Steps
-
Create an LDIF file, which you can use to add a group to the server.
Example:
dn: ou=Groups,dc=example,dc=com objectClass: organizationalunit objectClass: top ou: Groups dn: cn=Engineering Managers,ou=groups,dc=example,dc=com objectClass: groupOfUniqueNames objectClass: top cn: Engineering Managers uniqueMember: uid=user.0,ou=People,dc=example,dc=com
-
To add the entries to the server, run the
ldapmodifytool.Example:
$ bin/ldapmodify --defaultAdd --filename groups.ldif -
To create a virtual attribute, run
dsconfig.Example:
This virtual attribute adds the
ds-pwp-password-policy-dnattribute with a value ofcn=Demo Password Policy,cn=Password Policies,cn=configto the entries for all users that are members of thecn=Engineering Managers,ou=Groups,dc=example,dc=comgroup.$ bin/dsconfig create-virtual-attribute \ --name "Eng Mgrs Password Policy" \ --type user-defined \ --set "description:Eng Mgrs Grp PWPolicy" \ --set enabled:true \ --set attribute-type:ds-pwp-password-policy-dn \ --set "value:cn=Demo Password Policy,cn=Password Policies,cn=config" \ --set "group-dn:cn=Engineering Managers,ou=Groups,dc=example,dc=com" -
To verify that a user in the group contains the assigned password policy distinguished name (DN), run the
ldapsearchtool.Example:
$ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" \ ds-pwp-password-policy-dnResult:
dn: uid=user.0,ou=People,dc=example,dc=com ds-pwp-password-policy-dn: cn=Demo Password Policy,cn=Password Policies,cn=config