directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Carlo.Acco...@ibs-ag.com>
Subject RE: ApacheDS changing value of pwdPolicySubEntry after creation
Date Tue, 15 Nov 2011 16:17:13 GMT
Hi, we're definitely using an admin to bind  'uid=admin,ou=system' 
The schema has a read-only flag so I don't know if what I'm asking to do is even possible?


( 1.3.6.1.4.1.42.2.27.8.1.23 
NAME 'pwdPolicySubentry' 
DESC 'The pwdPolicy subentry in effect for this object' 
EQUALITY distinguishedNameMatch 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 
SINGLE-VALUE 
NO-USER-MODIFICATION 
USAGE directoryOperation 
X-SCHEMA 'null' )


Regards,
Carlo Accorsi

-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Tuesday, November 15, 2011 10:06 AM
To: users@directory.apache.org
Subject: Re: ApacheDS changing value of pwdPolicySubEntry after creation

are you modifying this entry as a admin user? if not try modifying with a admin user connection/session
let us know if there are any issues.

On Mon, Nov 14, 2011 at 10:11 PM, Kiran Ayyagari <kayyagari@apache.org> wrote:
> sorry for the late reply, will take a look at this tomorrow and let 
> you know
>
> On Mon, Nov 14, 2011 at 9:08 AM,  <Carlo.Accorsi@ibs-ag.com> wrote:
>> Hi, I'm stuck on this issue, any feedback is most appreciated.
>>
>> I have two types of users -  'inside' and 'outside' . There exists a password policy
for each type.
>> When users are created, the pwdPolicySubEntry attribute is added with 
>> the DN of the relevant policy. - OK
>>
>> We have a case were users can be moved from inside to outside and vice versa.
>>
>> LdapContext.rename(strOldDn, strNewDn);
>>
>> Moving the user object as shown above works fine but I cannot figure out how to update
the policy afterwards.
>>
>> Tried to replace or delete the attribute, the following exception occurs.
>> [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for 
>> MessageType : MODIFY_REQUEST Message ID : 45     Modify Request Object : 'uid=1320878789594,ou=users,ou=ext,o=cpro'
>> Modification[0]
>> Operation :  replace
>> Modification     pwdPolicySubEntry: 
>> ads-pwdId=cproint,ou=passwordPolicies,ads-interceptorId=authenticatio
>> nInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@878a
>> d1e1<mailto:org.apache.directory.shared.ldap.model.message.ModifyRequ
>> estImpl@878ad1e1>: ERR_52 Cannot modify the attribute : 
>> ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23  NAME 'pwdPolicySubentry'  
>> DESC The pwdPolicy subentry in effect for this object  EQUALITY 
>> distinguishedNameMatch  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12  
>> SINGLE-VALUE  NO-USER-MODIFICATION  USAGE directoryOperation  ) ]
>>
>> Is there a way to do this without creating a new entry and copying all the attributes?
>>
>> More generally, is there an administrative type connection in which operational attributes
can be updated?
>>
>> Thanks Carlo
>>
>>
>
>
>
> --
> Kiran Ayyagari
>



--
Kiran Ayyagari

Mime
View raw message