Hi, I'm stuck on this issue, any feedback is most appreciated.
I have two types of users - 'inside' and 'outside' . There exists a password policy for each
type.
When users are created, the pwdPolicySubEntry attribute is added with the DN of the relevant
policy. - OK
We have a case were users can be moved from inside to outside and vice versa.
LdapContext.rename(strOldDn, strNewDn);
Moving the user object as shown above works fine but I cannot figure out how to update the
policy afterwards.
Tried to replace or delete the attribute, the following exception occurs.
[LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST
Message ID : 45 Modify Request
Object : 'uid=1320878789594,ou=users,ou=ext,o=cpro'
Modification[0]
Operation : replace
Modification pwdPolicySubEntry: ads-pwdId=cproint,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@878ad1e1<mailto:org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@878ad1e1>:
ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry'
DESC The pwdPolicy subentry in effect for this object EQUALITY distinguishedNameMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation
) ]
Is there a way to do this without creating a new entry and copying all the attributes?
More generally, is there an administrative type connection in which operational attributes
can be updated?
Thanks Carlo
|