[
https://issues.apache.org/jira/browse/DIRSTUDIO-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16497888#comment-16497888
]
Emmanuel Lecharny edited comment on DIRSTUDIO-1182 at 6/1/18 11:55 AM:
-----------------------------------------------------------------------
That is exactly what I told you to do in my previous comment :) Glad you got it
working.
Regarding the {{pwdPolicySubentry}} attribute, it's an operational attribute,
thus it's entirely meaningful for the server, but not for the client. It's not
associated with any {{ObjectClass}}.
Normally, if it's a critical attribute, then it will also have the
{{NO-USER-MODIFICATION}} flag that forbid the user to change it or add it to an
entry. For instance :
{code:java}
( 1.3.6.1.4.1.42.2.27.8.1.23
NAME 'pwdPolicySubentry'
DESC 'The pwdPolicy subentry in effect for this object'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation )
{code}
That means you can't modify or add this attribute. The server should reject the
modification.
In this very case, the attribute (and it's value) is managed automatically when
you set up the subentry : either all the associated entries are modified by the
server to have them pointing to the subentry containing the password policy
configuration (costly if you have millions of entries...) or better, this
attribute is infered (which cost a bit every time the entry is managed).
Anyway, this is very server dependent.
I strongly suggest you read the
{{[PasswordPolicy|https://tools.ietf.org/html/draft-behera-ldap-password-policy-10]}}
draft
was (Author: elecharny):
That is exactly what I told you to do in my previous comment :-) Glad you got
it working.
Regarding the {{pwdPolicySubentry}} attribute, it's an operational attribute,
thus it's entirely meaningful for the server, but not for the client. It's not
associated with any {{ObjectClass}}, so if you try to add such an attribute to
an entry, you will get a warning.
Normally, if it's a critical attribute, then it will also have the
{{NO-USER-MODIFICATION}} flag that forbid the user to change it or add it to an
entry. For instance :
{code}
( 2.5.18.3 NAME 'creatorsName'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE NO-USER-MODIFICATION
USAGE directoryOperation )
{code}
> unable to add or see some attribute for pwdpolicy schema.
> ---------------------------------------------------------
>
> Key: DIRSTUDIO-1182
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1182
> Project: Directory Studio
> Issue Type: Question
> Reporter: steve balon
> Priority: Major
> Attachments: image-2018-05-31-23-56-59-154.png,
> image-2018-06-01-11-08-02-182.png, image-2018-06-01-12-55-42-535.png,
> image-2018-06-01-12-56-49-149.png
>
>
> We are deploying the PWDpolicy schema on our Open LDAP.
> I'm using Apache directory studio :
> Version: 2.0.0.v20170904-M13
>
> The schema has been uploaded to the ldap tree :
> Including component versions:
> - openldap 2.4.44
> - openssl 1.0.2k
> * Berkeley DB 6.2.23
>
> When we try to add the pwdPolicySubentry in one User
> the attribute is well recognize by the tool because showed in the entry :
> !image-2018-05-31-23-56-59-154.png!
> but the addition fail with a message :
> "Warning, according to the schema, the attribute pwdPolicySubentry is not
> authorized
> Do you still want to add it."
> if I add it, it's added somehow, because if I try the error message say that
> the attribute is already there or cannot have 2 values.
>
> but even if I refresh, the apache directory studio didn't show it.
> I have the exact same issue with the attribute : pwdChangedTime
> I can enter a date, but it's not showed on the tree.
>
> I really want to confirm how I can see that, because also, I have a cluster
> of LDAP and want to be sure that those specific 2 entry are replicated. and I
> can't confirm if I didn't see it.
>
> Do you have any idea or explanantion for me ?
>
> Thanks.
>
> Steve
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
