You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2018/06/01 11:56:00 UTC

[jira] [Comment Edited] (DIRSTUDIO-1182) unable to add or see some attribute for pwdpolicy schema.

    [ https://issues.apache.org/jira/browse/DIRSTUDIO-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16497888#comment-16497888 ] 

Emmanuel Lecharny edited comment on DIRSTUDIO-1182 at 6/1/18 11:55 AM:
-----------------------------------------------------------------------

That is exactly what I told you to do in my previous comment :) Glad you got it working.

Regarding the {{pwdPolicySubentry}} attribute, it's an operational attribute, thus it's entirely meaningful for the server, but not for the client. It's not associated with any {{ObjectClass}}.

 Normally, if it's a critical attribute, then it will also have the {{NO-USER-MODIFICATION}} flag that forbid the user to change it or add it to an entry. For instance :
{code:java}
( 1.3.6.1.4.1.42.2.27.8.1.23
         NAME 'pwdPolicySubentry'
         DESC 'The pwdPolicy subentry in effect for this object'
         EQUALITY distinguishedNameMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
         SINGLE-VALUE
         NO-USER-MODIFICATION
         USAGE directoryOperation )
{code}

That means you can't modify or add this attribute. The server should reject the modification.

In this very case, the attribute (and it's value) is managed automatically when you set up the subentry : either all the associated entries are modified by the server to have them pointing to the subentry containing the password policy configuration (costly if you have millions of entries...) or better, this attribute is infered (which cost a bit every time the entry is managed).

Anyway, this is very server dependent.

I strongly suggest you read the {{[PasswordPolicy|https://tools.ietf.org/html/draft-behera-ldap-password-policy-10]}} draft 


was (Author: elecharny):
That is exactly what I told you to do in my previous comment :-) Glad you got it working.

Regarding the {{pwdPolicySubentry}} attribute, it's an operational attribute, thus it's entirely meaningful for the server, but not for the client. It's not associated with any {{ObjectClass}}, so if you try to add such an attribute to an entry, you will get a warning.
Normally, if it's a critical attribute, then it will also have the {{NO-USER-MODIFICATION}} flag that forbid the user to change it or add it to an entry. For instance :

{code}
( 2.5.18.3 NAME 'creatorsName'
        EQUALITY distinguishedNameMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
        SINGLE-VALUE NO-USER-MODIFICATION
        USAGE directoryOperation )
{code}



> unable to add or see some attribute for pwdpolicy schema.
> ---------------------------------------------------------
>
>                 Key: DIRSTUDIO-1182
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1182
>             Project: Directory Studio
>          Issue Type: Question
>            Reporter: steve balon
>            Priority: Major
>         Attachments: image-2018-05-31-23-56-59-154.png, image-2018-06-01-11-08-02-182.png, image-2018-06-01-12-55-42-535.png, image-2018-06-01-12-56-49-149.png
>
>
> We are deploying the PWDpolicy schema on our Open LDAP.
> I'm using Apache directory studio : 
> Version: 2.0.0.v20170904-M13
>  
> The schema has been uploaded to the ldap tree : 
> Including component versions:
> - openldap 2.4.44
> - openssl 1.0.2k
>  * Berkeley DB 6.2.23
>  
> When we try to add the pwdPolicySubentry in one User
> the attribute is well recognize by the tool because showed in the entry : 
> !image-2018-05-31-23-56-59-154.png!
> but the addition fail with a message : 
> "Warning, according to the schema, the attribute pwdPolicySubentry is not authorized
> Do you still want to add it."
> if I add it, it's added somehow, because if I try the error message say that the attribute is already there or cannot have 2 values.
>  
> but even if I refresh, the apache directory studio didn't show it.
> I have the exact same issue with the attribute : pwdChangedTime
> I can enter a date, but it's not showed on the tree.
>  
> I really want to confirm how I can see that, because also, I have a cluster of LDAP and want to be sure that those specific 2 entry are replicated. and I can't confirm if I didn't see it.
>  
> Do you have any idea or explanantion for me ?
>  
> Thanks.
>  
> Steve
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)