From 4e4341f379b926876736232737134df6b500d04c Mon Sep 17 00:00:00 2001
From: "Karl O. Pinc" <kop@karlpinc.com>
Date: Mon, 16 Nov 2020 16:58:37 -0600
Subject: [PATCH] ITS#9396 Recommend namedPolicy for ppolicy entries

---
 doc/guide/admin/overlays.sdf |  5 +++--
 doc/man/man5/slapo-ppolicy.5 | 11 +++++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/doc/guide/admin/overlays.sdf b/doc/guide/admin/overlays.sdf
index 80b70b9699..277aecdcd4 100644
--- a/doc/guide/admin/overlays.sdf
+++ b/doc/guide/admin/overlays.sdf
@@ -931,7 +931,7 @@ The actual policy would be:
 >       dn: cn=default,ou=policies,dc=example,dc=com
 >       cn: default
 >       objectClass: pwdPolicy
->       objectClass: person
+>       objectClass: namedPolicy
 >       objectClass: top
 >       pwdAllowUserChange: TRUE
 >       pwdAttribute: userPassword
@@ -948,10 +948,11 @@ The actual policy would be:
 >       pwdMinLength: 5
 >       pwdMustChange: FALSE
 >       pwdSafeModify: FALSE
->       sn: dummy value
 
 You can create additional policy objects as needed. 
 
+The namedPolicy object class is present because the policy entry
+requires a structural object class.
 
 There are two ways password policy can be applied to individual objects:
 
diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5
index 1c8efe1b8c..da768fec25 100644
--- a/doc/man/man5/slapo-ppolicy.5
+++ b/doc/man/man5/slapo-ppolicy.5
@@ -125,6 +125,17 @@ object class.  The definition of that class is as follows:
         pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) )
 .RE
 
+The
+.B pwdPolicy
+class is not structural, and so entries using it require another,
+structural, object class.  The
+.B namedPolicy
+object class is a good choice.
+.B namedPolicy
+requires a
+.B cn
+attribute, suitable as the policy entry's rDN.
+
 This implementation also provides an additional
 .B pwdPolicyChecker
 objectclass, used for password quality checking (see below).
-- 
GitLab