You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Ca...@ibs-ag.com on 2011/11/14 15:08:33 UTC
ApacheDS changing value of pwdPolicySubEntry after creation
Hi, I'm stuck on this issue, any feedback is most appreciated.
I have two types of users - 'inside' and 'outside' . There exists a password policy for each type.
When users are created, the pwdPolicySubEntry attribute is added with the DN of the relevant policy. - OK
We have a case were users can be moved from inside to outside and vice versa.
LdapContext.rename(strOldDn, strNewDn);
Moving the user object as shown above works fine but I cannot figure out how to update the policy afterwards.
Tried to replace or delete the attribute, the following exception occurs.
[LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST Message ID : 45 Modify Request
Object : 'uid=1320878789594,ou=users,ou=ext,o=cpro'
Modification[0]
Operation : replace
Modification pwdPolicySubEntry: ads-pwdId=cproint,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@878ad1e1<ma...@878ad1e1>: ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC The pwdPolicy subentry in effect for this object EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ]
Is there a way to do this without creating a new entry and copying all the attributes?
More generally, is there an administrative type connection in which operational attributes can be updated?
Thanks Carlo
RE: ApacheDS changing value of pwdPolicySubEntry after creation
Posted by Ca...@ibs-ag.com.
The trunk is fine, I just pull down and rebuild . Thanks!
Regards,
Carlo Accorsi
-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Friday, November 18, 2011 11:14 AM
To: users@directory.apache.org
Subject: Re: ApacheDS changing value of pwdPolicySubEntry after creation
I have found the issue in the code that is preventing the admin user from modifying it.
Committed the fix in trunk, let me know if you want to apply this to a specific version (only on 2.0 milestone releases) I can provide the patch for you On Tue, Nov 15, 2011 at 11:17 AM, <Ca...@ibs-ag.com> wrote:
> Hi, we're definitely using an admin to bind 'uid=admin,ou=system'
> The schema has a read-only flag so I don't know if what I'm asking to do is even possible?
>
> ( 1.3.6.1.4.1.42.2.27.8.1.23
> NAME 'pwdPolicySubentry'
> DESC 'The pwdPolicy subentry in effect for this object'
> EQUALITY distinguishedNameMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
> SINGLE-VALUE
> NO-USER-MODIFICATION
> USAGE directoryOperation
> X-SCHEMA 'null' )
>
>
> Regards,
> Carlo Accorsi
>
> -----Original Message-----
> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On
> Behalf Of Kiran Ayyagari
> Sent: Tuesday, November 15, 2011 10:06 AM
> To: users@directory.apache.org
> Subject: Re: ApacheDS changing value of pwdPolicySubEntry after
> creation
>
> are you modifying this entry as a admin user? if not try modifying with a admin user connection/session let us know if there are any issues.
>
> On Mon, Nov 14, 2011 at 10:11 PM, Kiran Ayyagari <ka...@apache.org> wrote:
>> sorry for the late reply, will take a look at this tomorrow and let
>> you know
>>
>> On Mon, Nov 14, 2011 at 9:08 AM, <Ca...@ibs-ag.com> wrote:
>>> Hi, I'm stuck on this issue, any feedback is most appreciated.
>>>
>>> I have two types of users - 'inside' and 'outside' . There exists a password policy for each type.
>>> When users are created, the pwdPolicySubEntry attribute is added
>>> with the DN of the relevant policy. - OK
>>>
>>> We have a case were users can be moved from inside to outside and vice versa.
>>>
>>> LdapContext.rename(strOldDn, strNewDn);
>>>
>>> Moving the user object as shown above works fine but I cannot figure out how to update the policy afterwards.
>>>
>>> Tried to replace or delete the attribute, the following exception occurs.
>>> [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for
>>> MessageType : MODIFY_REQUEST Message ID : 45 Modify Request Object : 'uid=1320878789594,ou=users,ou=ext,o=cpro'
>>> Modification[0]
>>> Operation : replace
>>> Modification pwdPolicySubEntry:
>>> ads-pwdId=cproint,ou=passwordPolicies,ads-interceptorId=authenticati
>>> o
>>> nInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=confi
>>> g
>>> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@878
>>> a
>>> d1e1<mailto:org.apache.directory.shared.ldap.model.message.ModifyReq
>>> u
>>> estImpl@878ad1e1>: ERR_52 Cannot modify the attribute :
>>> ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry'
>>> DESC The pwdPolicy subentry in effect for this object EQUALITY
>>> distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
>>> SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ]
>>>
>>> Is there a way to do this without creating a new entry and copying all the attributes?
>>>
>>> More generally, is there an administrative type connection in which operational attributes can be updated?
>>>
>>> Thanks Carlo
>>>
>>>
>>
>>
>>
>> --
>> Kiran Ayyagari
>>
>
>
>
> --
> Kiran Ayyagari
>
--
Kiran Ayyagari
Re: ApacheDS changing value of pwdPolicySubEntry after creation
Posted by Kiran Ayyagari <ka...@apache.org>.
I have found the issue in the code that is preventing the admin user
from modifying it.
Committed the fix in trunk, let me know if you want to apply this to a
specific version (only on 2.0 milestone releases)
I can provide the patch for you
On Tue, Nov 15, 2011 at 11:17 AM, <Ca...@ibs-ag.com> wrote:
> Hi, we're definitely using an admin to bind 'uid=admin,ou=system'
> The schema has a read-only flag so I don't know if what I'm asking to do is even possible?
>
> ( 1.3.6.1.4.1.42.2.27.8.1.23
> NAME 'pwdPolicySubentry'
> DESC 'The pwdPolicy subentry in effect for this object'
> EQUALITY distinguishedNameMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
> SINGLE-VALUE
> NO-USER-MODIFICATION
> USAGE directoryOperation
> X-SCHEMA 'null' )
>
>
> Regards,
> Carlo Accorsi
>
> -----Original Message-----
> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
> Sent: Tuesday, November 15, 2011 10:06 AM
> To: users@directory.apache.org
> Subject: Re: ApacheDS changing value of pwdPolicySubEntry after creation
>
> are you modifying this entry as a admin user? if not try modifying with a admin user connection/session let us know if there are any issues.
>
> On Mon, Nov 14, 2011 at 10:11 PM, Kiran Ayyagari <ka...@apache.org> wrote:
>> sorry for the late reply, will take a look at this tomorrow and let
>> you know
>>
>> On Mon, Nov 14, 2011 at 9:08 AM, <Ca...@ibs-ag.com> wrote:
>>> Hi, I'm stuck on this issue, any feedback is most appreciated.
>>>
>>> I have two types of users - 'inside' and 'outside' . There exists a password policy for each type.
>>> When users are created, the pwdPolicySubEntry attribute is added with
>>> the DN of the relevant policy. - OK
>>>
>>> We have a case were users can be moved from inside to outside and vice versa.
>>>
>>> LdapContext.rename(strOldDn, strNewDn);
>>>
>>> Moving the user object as shown above works fine but I cannot figure out how to update the policy afterwards.
>>>
>>> Tried to replace or delete the attribute, the following exception occurs.
>>> [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for
>>> MessageType : MODIFY_REQUEST Message ID : 45 Modify Request Object : 'uid=1320878789594,ou=users,ou=ext,o=cpro'
>>> Modification[0]
>>> Operation : replace
>>> Modification pwdPolicySubEntry:
>>> ads-pwdId=cproint,ou=passwordPolicies,ads-interceptorId=authenticatio
>>> nInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>>> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@878a
>>> d1e1<mailto:org.apache.directory.shared.ldap.model.message.ModifyRequ
>>> estImpl@878ad1e1>: ERR_52 Cannot modify the attribute :
>>> ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry'
>>> DESC The pwdPolicy subentry in effect for this object EQUALITY
>>> distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
>>> SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ]
>>>
>>> Is there a way to do this without creating a new entry and copying all the attributes?
>>>
>>> More generally, is there an administrative type connection in which operational attributes can be updated?
>>>
>>> Thanks Carlo
>>>
>>>
>>
>>
>>
>> --
>> Kiran Ayyagari
>>
>
>
>
> --
> Kiran Ayyagari
>
--
Kiran Ayyagari
RE: ApacheDS changing value of pwdPolicySubEntry after creation
Posted by Ca...@ibs-ag.com.
Hi, we're definitely using an admin to bind 'uid=admin,ou=system'
The schema has a read-only flag so I don't know if what I'm asking to do is even possible?
( 1.3.6.1.4.1.42.2.27.8.1.23
NAME 'pwdPolicySubentry'
DESC 'The pwdPolicy subentry in effect for this object'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation
X-SCHEMA 'null' )
Regards,
Carlo Accorsi
-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Tuesday, November 15, 2011 10:06 AM
To: users@directory.apache.org
Subject: Re: ApacheDS changing value of pwdPolicySubEntry after creation
are you modifying this entry as a admin user? if not try modifying with a admin user connection/session let us know if there are any issues.
On Mon, Nov 14, 2011 at 10:11 PM, Kiran Ayyagari <ka...@apache.org> wrote:
> sorry for the late reply, will take a look at this tomorrow and let
> you know
>
> On Mon, Nov 14, 2011 at 9:08 AM, <Ca...@ibs-ag.com> wrote:
>> Hi, I'm stuck on this issue, any feedback is most appreciated.
>>
>> I have two types of users - 'inside' and 'outside' . There exists a password policy for each type.
>> When users are created, the pwdPolicySubEntry attribute is added with
>> the DN of the relevant policy. - OK
>>
>> We have a case were users can be moved from inside to outside and vice versa.
>>
>> LdapContext.rename(strOldDn, strNewDn);
>>
>> Moving the user object as shown above works fine but I cannot figure out how to update the policy afterwards.
>>
>> Tried to replace or delete the attribute, the following exception occurs.
>> [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for
>> MessageType : MODIFY_REQUEST Message ID : 45 Modify Request Object : 'uid=1320878789594,ou=users,ou=ext,o=cpro'
>> Modification[0]
>> Operation : replace
>> Modification pwdPolicySubEntry:
>> ads-pwdId=cproint,ou=passwordPolicies,ads-interceptorId=authenticatio
>> nInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@878a
>> d1e1<mailto:org.apache.directory.shared.ldap.model.message.ModifyRequ
>> estImpl@878ad1e1>: ERR_52 Cannot modify the attribute :
>> ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry'
>> DESC The pwdPolicy subentry in effect for this object EQUALITY
>> distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
>> SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ]
>>
>> Is there a way to do this without creating a new entry and copying all the attributes?
>>
>> More generally, is there an administrative type connection in which operational attributes can be updated?
>>
>> Thanks Carlo
>>
>>
>
>
>
> --
> Kiran Ayyagari
>
--
Kiran Ayyagari
Re: ApacheDS changing value of pwdPolicySubEntry after creation
Posted by Kiran Ayyagari <ka...@apache.org>.
are you modifying this entry as a admin user? if not try modifying
with a admin user connection/session
let us know if there are any issues.
On Mon, Nov 14, 2011 at 10:11 PM, Kiran Ayyagari <ka...@apache.org> wrote:
> sorry for the late reply, will take a look at this tomorrow and let you know
>
> On Mon, Nov 14, 2011 at 9:08 AM, <Ca...@ibs-ag.com> wrote:
>> Hi, I'm stuck on this issue, any feedback is most appreciated.
>>
>> I have two types of users - 'inside' and 'outside' . There exists a password policy for each type.
>> When users are created, the pwdPolicySubEntry attribute is added with the DN of the relevant policy. - OK
>>
>> We have a case were users can be moved from inside to outside and vice versa.
>>
>> LdapContext.rename(strOldDn, strNewDn);
>>
>> Moving the user object as shown above works fine but I cannot figure out how to update the policy afterwards.
>>
>> Tried to replace or delete the attribute, the following exception occurs.
>> [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST Message ID : 45 Modify Request
>> Object : 'uid=1320878789594,ou=users,ou=ext,o=cpro'
>> Modification[0]
>> Operation : replace
>> Modification pwdPolicySubEntry: ads-pwdId=cproint,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@878ad1e1<ma...@878ad1e1>: ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC The pwdPolicy subentry in effect for this object EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ]
>>
>> Is there a way to do this without creating a new entry and copying all the attributes?
>>
>> More generally, is there an administrative type connection in which operational attributes can be updated?
>>
>> Thanks Carlo
>>
>>
>
>
>
> --
> Kiran Ayyagari
>
--
Kiran Ayyagari
Re: ApacheDS changing value of pwdPolicySubEntry after creation
Posted by Kiran Ayyagari <ka...@apache.org>.
sorry for the late reply, will take a look at this tomorrow and let you know
On Mon, Nov 14, 2011 at 9:08 AM, <Ca...@ibs-ag.com> wrote:
> Hi, I'm stuck on this issue, any feedback is most appreciated.
>
> I have two types of users - 'inside' and 'outside' . There exists a password policy for each type.
> When users are created, the pwdPolicySubEntry attribute is added with the DN of the relevant policy. - OK
>
> We have a case were users can be moved from inside to outside and vice versa.
>
> LdapContext.rename(strOldDn, strNewDn);
>
> Moving the user object as shown above works fine but I cannot figure out how to update the policy afterwards.
>
> Tried to replace or delete the attribute, the following exception occurs.
> [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST Message ID : 45 Modify Request
> Object : 'uid=1320878789594,ou=users,ou=ext,o=cpro'
> Modification[0]
> Operation : replace
> Modification pwdPolicySubEntry: ads-pwdId=cproint,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@878ad1e1<ma...@878ad1e1>: ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC The pwdPolicy subentry in effect for this object EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ]
>
> Is there a way to do this without creating a new entry and copying all the attributes?
>
> More generally, is there an administrative type connection in which operational attributes can be updated?
>
> Thanks Carlo
>
>
--
Kiran Ayyagari