From 92a3fb5648a2b3906b9259a9aab32235bf85ce4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= Date: Fri, 5 Jun 2026 11:12:57 +0100 Subject: [PATCH] ITS#9343 doc: Update admin guide to match --- doc/guide/admin/overlays.sdf | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/doc/guide/admin/overlays.sdf b/doc/guide/admin/overlays.sdf index adc8e39184..c4a9982ccb 100644 --- a/doc/guide/admin/overlays.sdf +++ b/doc/guide/admin/overlays.sdf @@ -894,7 +894,7 @@ a policy object to use if none other is specified in a user's object. > [...additional database configuration directives go here...] > > overlay ppolicy -> ppolicy_default "cn=default,ou=policies,dc=example,dc=com" +> ppolicy_rules require_password=yes policy_dn="cn=default,ou=policies,dc=example,dc=com" Now we need a container for the policy objects. In our example the password @@ -958,12 +958,15 @@ There are two ways password policy can be applied to individual objects: 1. The pwdPolicySubentry in a user's object - If a user's object has a pwdPolicySubEntry attribute specifying the DN of a policy object, then -the policy defined by that object is applied. +the policy defined by that object is applied. This is discouraged. -2. Default password policy - If there is no specific pwdPolicySubentry set -for an object, and the password policy module was configured with the DN of a -default policy object and if that object exists, then the policy defined in -that object is applied. +2a. Password policy selection rules - A policy or a decision that no policy +should be applied can be described as a set of rules. + +2b. Default password policy - If there is no specific pwdPolicySubentry set +for an object, the policy selection rules run out without a decision, and the +password policy module was configured with the DN of a default policy object +and if that object exists, then the policy defined in that object is applied. Please see {{slapo-ppolicy(5)}} for a complete explanation of its features.