You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@directory.apache.org by Ca...@ibs-ag.com on 2011/11/10 19:48:30 UTC

Reassignment of password policy

Hi Folks, last question today.

I have two types of users -  'inside' and 'outside' . There exists a password policy for each type.
When users are created, the pwdPolicySubEntry attribute is added with the DN of the relevant policy. - OK

We have a case were users can be moved from inside to outside and vice versa.

LdapContext.rename(strOldDn, strNewDn);

Moving the user object as shown above works fine but I cannot figure out how to update the policy afterwards.

Tried to replace or delete the attribute, the following exception occurs.
[LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST Message ID : 45     Modify Request
Object : 'uid=1320878789594,ou=users,ou=ext,o=cpro'
Modification[0]
Operation :  replace
Modification     pwdPolicySubEntry: ads-pwdId=cproint,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@878ad1e1: ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23  NAME 'pwdPolicySubentry'  DESC The pwdPolicy subentry in effect for this object  EQUALITY distinguishedNameMatch  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12  SINGLE-VALUE  NO-USER-MODIFICATION  USAGE directoryOperation  ) ]

Is there a way to do this without creating a new entry and copying all the attributes?  Thanks Carlo