directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (DIRSTUDIO-1182) unable to add or see some attribute for pwdpolicy schema.
Date Fri, 01 Jun 2018 11:56:00 GMT

    [ https://issues.apache.org/jira/browse/DIRSTUDIO-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16497888#comment-16497888
] 

Emmanuel Lecharny edited comment on DIRSTUDIO-1182 at 6/1/18 11:55 AM:
-----------------------------------------------------------------------

That is exactly what I told you to do in my previous comment :) Glad you got it working.

Regarding the {{pwdPolicySubentry}} attribute, it's an operational attribute, thus it's entirely
meaningful for the server, but not for the client. It's not associated with any {{ObjectClass}}.

 Normally, if it's a critical attribute, then it will also have the {{NO-USER-MODIFICATION}}
flag that forbid the user to change it or add it to an entry. For instance :
{code:java}
( 1.3.6.1.4.1.42.2.27.8.1.23
         NAME 'pwdPolicySubentry'
         DESC 'The pwdPolicy subentry in effect for this object'
         EQUALITY distinguishedNameMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
         SINGLE-VALUE
         NO-USER-MODIFICATION
         USAGE directoryOperation )
{code}

That means you can't modify or add this attribute. The server should reject the modification.

In this very case, the attribute (and it's value) is managed automatically when you set up
the subentry : either all the associated entries are modified by the server to have them pointing
to the subentry containing the password policy configuration (costly if you have millions
of entries...) or better, this attribute is infered (which cost a bit every time the entry
is managed).

Anyway, this is very server dependent.

I strongly suggest you read the {{[PasswordPolicy|https://tools.ietf.org/html/draft-behera-ldap-password-policy-10]}}
draft 


was (Author: elecharny):
That is exactly what I told you to do in my previous comment :-) Glad you got it working.

Regarding the {{pwdPolicySubentry}} attribute, it's an operational attribute, thus it's entirely
meaningful for the server, but not for the client. It's not associated with any {{ObjectClass}},
so if you try to add such an attribute to an entry, you will get a warning.
Normally, if it's a critical attribute, then it will also have the {{NO-USER-MODIFICATION}}
flag that forbid the user to change it or add it to an entry. For instance :

{code}
( 2.5.18.3 NAME 'creatorsName'
        EQUALITY distinguishedNameMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
        SINGLE-VALUE NO-USER-MODIFICATION
        USAGE directoryOperation )
{code}



> unable to add or see some attribute for pwdpolicy schema.
> ---------------------------------------------------------
>
>                 Key: DIRSTUDIO-1182
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1182
>             Project: Directory Studio
>          Issue Type: Question
>            Reporter: steve balon
>            Priority: Major
>         Attachments: image-2018-05-31-23-56-59-154.png, image-2018-06-01-11-08-02-182.png,
image-2018-06-01-12-55-42-535.png, image-2018-06-01-12-56-49-149.png
>
>
> We are deploying the PWDpolicy schema on our Open LDAP.
> I'm using Apache directory studio : 
> Version: 2.0.0.v20170904-M13
>  
> The schema has been uploaded to the ldap tree : 
> Including component versions:
> - openldap 2.4.44
> - openssl 1.0.2k
>  * Berkeley DB 6.2.23
>  
> When we try to add the pwdPolicySubentry in one User
> the attribute is well recognize by the tool because showed in the entry : 
> !image-2018-05-31-23-56-59-154.png!
> but the addition fail with a message : 
> "Warning, according to the schema, the attribute pwdPolicySubentry is not authorized
> Do you still want to add it."
> if I add it, it's added somehow, because if I try the error message say that the attribute
is already there or cannot have 2 values.
>  
> but even if I refresh, the apache directory studio didn't show it.
> I have the exact same issue with the attribute : pwdChangedTime
> I can enter a date, but it's not showed on the tree.
>  
> I really want to confirm how I can see that, because also, I have a cluster of LDAP and
want to be sure that those specific 2 entry are replicated. and I can't confirm if I didn't
see it.
>  
> Do you have any idea or explanantion for me ?
>  
> Thanks.
>  
> Steve
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message