Yet, I can set this attribute from LAM by importing an LDIF. I'm not sure I know what you mean by "LAM does not and cannot set the attribute".
-- Isaac Freeman - Systems Administrator IBM Information Protection Services [email protected] 919-254-0245 From: "Darin Perusich" <[email protected]> To: Isaac Freeman/Raleigh/Contr/IBM@IBMUS Cc: <[email protected]> Date: 09/27/2011 04:11 PM Subject: RE: [Lam-public] OpenLDAP ppolicy attributes. When an administrator resets a password the pwdRest attribute is set to TRUE by the directory server, LAM does not and cannot set the attribute. You are correct that this value typically doesn’t exist for an object and if present, once the user changes their password it is removed by the directory server, this is the case for OpenDJ. You are able to view these internal attributes by going to the “tree view”, selecting the user object, and clicking the “show internal attributes” link. But that user you’ve logged in as must have password reset privileges in order to view them. -- Darin Perusich Email: [email protected] Office: 716-888-3690 From: Isaac Freeman [mailto:[email protected]] Sent: Tuesday, September 27, 2011 3:32 PM To: Roland Gruber Cc: [email protected] Subject: Re: [Lam-public] OpenLDAP ppolicy attributes. Thanks, I didn't know those controls correpsonded to those values. That's kind of what I'm looking for. But, perhaps I misunderstand how pwdReset works. The way I see it is it's a value which is generally not existent on the user object, and when you set it it resets whether or not the account is locked out. And when you set it, you can set it either as TRUE or FALSE, TRUE meaning the user will be asked to change their password, and FALSE they won't. So it's not really a toggle value, but more of a function which accepts a toggle argument. The more general option which determines if a user must change their password if it's reset is the pwdMustChange attribute on the pwdPolicy object, and setting the pwdReset to TRUE overrides pwdMustChange. >From the Zytrex page: "Add the operational attribute pwdReset with a value of either TRUE or FALSE. FALSE is only effective if the password has not expired and has the same effect as deleting pwdAccountLockedTime. " So I don't think LAM uses the pwdReset attribute correctly as it was intended. It should probably be more like: have a button to reset the account, and 2 radio buttons to represent the TRUE and FALSE settings (with probably more descriptive labels). Also, it would be nice if there was a way to view the read-only attributes in the ppolicy tab under the user account -- Isaac Freeman - Systems Administrator IBM Information Protection Services [email protected] 919-254-0245 Inactive hide details for Roland Gruber ---09/24/2011 05:51:26 PM--------BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Roland Gruber ---09/24/2011 05:51:26 PM--------BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 From: Roland Gruber <[email protected]> To: [email protected] Date: 09/24/2011 05:51 PM Subject: Re: [Lam-public] OpenLDAP ppolicy attributes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Isaac, pwdAccountLockedTime can be set with the button "(Un)Lock account". The attribute pwdReset is controlled via the checkbox "Password change required". The other attributes are marked as read-only in the documentation. Does this help you? Best regards Roland Am 23.09.2011 16:03, schrieb Isaac Freeman: > > Thanks, Roland. However, I have seen this page and have this module > enabled, but this does not give me access to the operational attributes > OpenLDAP uses such as pwdReset and pwdFailureCount, etc. Please see the > link in my original mail below for a list of these attributes. > > -- > Isaac Freeman - Systems Administrator > IBM Information Protection Services > [email protected] > 919-254-0245 > > > > From: Roland Gruber <[email protected]> > To: [email protected] > Date: 09/23/2011 05:10 AM > Subject: Re: [Lam-public] OpenLDAP ppolicy attributes. > > > > Hi Isaac, > > yes, there is a user module for ppolicy in LAM Pro. Just enable it in your > LAM server profile (tab "Modules"). > > See also here: > > http://www.ldap-account-manager.org/static/doc/manual/ch03.html#idp5610512 > > > Best regards > > Roland > > > > On 20.09.2011 16:24, Isaac Freeman wrote: >> >> >> In OpenLDAP using the ppolicy overlay, there are certain hidden(?) (or >> maybe implied?) attributes attached to any account with a ppolicy > extension >> which are not returned by a simple LDAP search, such as >> pwdAccountLockedTime and pwdChangedTime. Is there a simple way to >> manipulate these attributes with LAM (Pro)? They don't show up in the > user >> account screen's ppolicy tab, or in the tree view. Currently, the only > way >> I have to modify these (including the pwdReset attribute used to unlock > an >> account) is to import an LDIF modifying the account directly. >> >> http://www.zytrax.com/books/ldap/ch6/ppolicy.html#operationalattributes >> >> -- >> Isaac Freeman - Systems Administrator >> IBM Information Protection Services >> [email protected] >> 919-254-0245 >> >> >> >> > ------------------------------------------------------------------------------ > >> All the data continuously generated in your IT infrastructure contains a >> definitive record of customers, application performance, security >> threats, fraudulent activity and more. Splunk takes this data and makes >> sense of it. Business sense. IT sense. Common sense. >> http://p.sf.net/sfu/splunk-d2dcopy1 >> >> >> >> _______________________________________________ >> Lam-public mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/lam-public > > > -- > > Best regards > > Roland Gruber > > ------------------------------------------------------------------------------ > > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2dcopy2 > _______________________________________________ > Lam-public mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/lam-public > > > > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2dcopy2 > > > > _______________________________________________ > Lam-public mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/lam-public - -- Mit freundlichen Grüßen Roland Gruber -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5+UIUACgkQq/ywNCsrGZ65BACcDmSDpGQFBdedpdRT+teqDLZw 5rkAn21AXRzxiAte/G7jIj+q77GByGXH =D9zB -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Lam-public mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lam-public The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this message, please contact the sender and delete this material from this computer.
<<inline: graycol.gif>>
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Lam-public mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lam-public
