You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@directory.apache.org by Mike Davis <md...@rez1.com> on 2017/01/17 14:36:36 UTC

user modification/deletion of operational attributes

I have set up a special user that has rights to modify details of another
user. This prevents the need for our applications to log in as the admin
user, while still allowing password resets and such.

 

I'd like to give that user rights to delete the operational attribute
pwdAccountLockedTime. I've created a subentry that allows the user to
modify the password and such, but when I try to add in
pwdAccountLockedTime, it's not allowing that to happen. The error message
indicates that operational attributes cannot be modified by a user. 

 

Is there a way to allow for a user to delete that attribute?

 

If not, is there a way to configure Apache DS to delete that attribute on
a password change?

 

// Mike

Re: user modification/deletion of operational attributes

Posted by Emmanuel Lécharny <el...@gmail.com>.


Le 17/01/2017 à 15:36, Mike Davis a écrit :
> I have set up a special user that has rights to modify details of another
> user. This prevents the need for our applications to log in as the admin
> user, while still allowing password resets and such.
>
>  
>
> I'd like to give that user rights to delete the operational attribute
> pwdAccountLockedTime. I've created a subentry that allows the user to
> modify the password and such, but when I try to add in
> pwdAccountLockedTime, it's not allowing that to happen. The error message
> indicates that operational attributes cannot be modified by a user. 
>
>  
>
> Is there a way to allow for a user to delete that attribute?
no.

Here is the definition of this attributeType :

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime'
    DESC 'The time an user account was locked'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
    SINGLE-VALUE
    NO-USER-MODIFICATION    <<<----------------
    USAGE userApplications )

as you can see, it's forbidden by definition (which is defined in the
PasswordPolicy RFC draft).


> If not, is there a way to configure Apache DS to delete that attribute on
> a password change?

You should be able to modify this attribute if you send a modifyRequest
on the entry with a Password Policy control (1.3.6.1.4.1.42.2.27.8.5.1)).

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org