You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Rashid Mahmood (Jira)" <ji...@apache.org> on 2020/04/22 08:58:00 UTC

[jira] [Commented] (DIRSERVER-2306) Removing pwdAccountLockedTime Attribute with Technical User

    [ https://issues.apache.org/jira/browse/DIRSERVER-2306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17089476#comment-17089476 ] 

Rashid Mahmood commented on DIRSERVER-2306:
-------------------------------------------

Delete userPassword attribute and add it once again. This seems to unlock the user.

1). But what about pwdAccountLockedTime attribute, will this operational attribute remain setted? if yes which possible problems could occur?

2). Password History remains there or it would be lost?

> Removing pwdAccountLockedTime Attribute with Technical User
> -----------------------------------------------------------
>
>                 Key: DIRSERVER-2306
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2306
>             Project: Directory ApacheDS
>          Issue Type: Task
>    Affects Versions: 2.0.0-M24
>            Reporter: Rashid Mahmood
>            Priority: Major
>
> We are connecting to ApacheDS ldap with a technical user created with ACL mentioned below. We are able to cover all of requirements except the possibility for user to unlock his account, when he tried to unlock the account, behind the scene techincal user is unable to remove pwdAccountLockedTime attribute and we receive Access Rights error.
> We tried to switch Admin user but then it is contradicting with another requirement of pwdHistory and user was able to reuse existing password during password change https://issues.apache.org/jira/browse/DIRSERVER-2084
> Is it possible to handle both requirements with one technical user? our preference was to handle it with our own user instead of default admin
> {code:java}
> dn: cn=fdLdapAuthorizationRequirementsACISubentry,dc=abc,dc=xyz
> changetype: add
> objectclass: top
> objectclass: subentry
> objectclass: accessControlSubentry
> cn: fdLdapAuthorizationRequirementsACISubentry
> subtreeSpecification: {}
> prescriptiveACI: {
>     identificationTag "directoryManagerFullAccessACI",
>     precedence 11,
>     authenticationLevel simple,
>     itemOrUserFirst userFirst:
>     {
>       userClasses
>       {
>        name { "uid=fdactmgr,ou=users,ou=system" }
>       },
>       userPermissions
>       { 
>         {
>           protectedItems
>           {
>             entry, allUserAttributeTypesAndValues
>           },
>           grantsAndDenials
>           {
>             grantAdd, grantDiscloseOnError, grantRead,
>             grantRemove, grantBrowse, grantExport, grantImport,
>             grantModify, grantRename, grantReturnDN,
>             grantCompare, grantFilterMatch, grantInvoke
>           } 
>         }
>       }
>     } 
>  }
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org