ITS#9396 Recommend namedPolicy for ppolicy entries

2025-03-19 14:30:57 +08:00 · 2020-11-16 16:58:37 -06:00 · 2020-11-16 16:58:37 -06:00 · 4e4341f379
commit 4e4341f379
parent 932cc56817
2 changed files with 14 additions and 2 deletions
--- a/doc/guide/admin/overlays.sdf
+++ b/doc/guide/admin/overlays.sdf
@ -931,7 +931,7 @@ The actual policy would be:
 >       dn: cn=default,ou=policies,dc=example,dc=com
 >       cn: default
 >       objectClass: pwdPolicy
->       objectClass: person
+>       objectClass: namedPolicy
 >       objectClass: top
 >       pwdAllowUserChange: TRUE
 >       pwdAttribute: userPassword
@ -948,10 +948,11 @@ The actual policy would be:
 >       pwdMinLength: 5
 >       pwdMustChange: FALSE
 >       pwdSafeModify: FALSE
->       sn: dummy value

 You can create additional policy objects as needed. 

+The namedPolicy object class is present because the policy entry
+requires a structural object class.

 There are two ways password policy can be applied to individual objects:

--- a/doc/man/man5/slapo-ppolicy.5
+++ b/doc/man/man5/slapo-ppolicy.5
@ -125,6 +125,17 @@ object class.  The definition of that class is as follows:
        pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) )
 .RE

+The
+.B pwdPolicy
+class is not structural, and so entries using it require another,
+structural, object class.  The
+.B namedPolicy
+object class is a good choice.
+.B namedPolicy
+requires a
+.B cn
+attribute, suitable as the policy entry's rDN.
+
 This implementation also provides an additional
 .B pwdPolicyChecker
 objectclass, used for password quality checking (see below).