Re: [389-users] Disable Inactive Users After 90 days
On 05/09/2012 07:45 AM, Ali Jawad wrote: Hi I have a requirement to disable inactive users after 90 days. I did read http://directory.fedoraproject.org/wiki/Account_Policy_Design but I am not sure whether this is a design proposal or the actual implementation. My DS version is : rpm -qa | grep 389 389-admin-console-1.1.8-1.el5 389-ds-base-1.2.9.9-1.el5 389-dsgw-1.1.7-2.el5 389-console-1.1.7-3.el5 389-adminutil-1.1.14-1.el5 389-admin-1.1.23-1.el5 389-admin-console-doc-1.1.8-1.el5 389-ds-1.2.1-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-ds-console-doc-1.2.6-1.el5 I got [root@386-100-16 dirsrv]# ldapsearch -x -D cn=Directory manager -w Password -b cn=config -s base lastLoginTime # extended LDIF # # LDAPv3 # base cn=config with scope baseObject # filter: (objectclass=*) # requesting: lastLoginTime # # config dn: cn=config # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 and [root@386-100-16 dirsrv]# grep -i lastlogintime /etc/dirsrv/slapd-386-100-16/schema/* /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime holds login state in user entries (GeneralizedTime syntax) /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime' I am not sure how to implement this though, please advice. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html Regards -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Disable Inactive Users After 90 days
On 05/09/2012 08:17 AM, Ali Jawad wrote: Hi Thanks Rich, just what I was searching for, I am facing a problem though ldapmodify: No such object (32) matched DN: dc=domain,dc=localat : [user@server ~]$ ldapmodify*-a* -D cn=directory manager -w secret -p 389 -hserver.example.com http://server.example.com -x dn: cn=Account Inactivation Policy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject *objectClass: accountpolicy* *accountInactivityLimit: 2592000* cn: Account Inactivation Policy I am doing [root@386-100-16 dirsrv]# ldapmodify -D cn=directory manager -w password -p 389 -h x.x.x.x -x dn: cn=Account Inactivation Policy,dc=domain,dc=local objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy accountInactivityLimit: 2592000 cn: Account Inactivation Policy modifying entry cn=Account Inactivation Policy,dc=domain,dc=local ldapmodify: No such object (32) matched DN: dc=domain,dc=local Right. You are missing the ldapmodify -a - see the original instructions On Wed, May 9, 2012 at 4:47 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 05/09/2012 07:45 AM, Ali Jawad wrote: Hi I have a requirement to disable inactive users after 90 days. I did read http://directory.fedoraproject.org/wiki/Account_Policy_Design but I am not sure whether this is a design proposal or the actual implementation. My DS version is : rpm -qa | grep 389 389-admin-console-1.1.8-1.el5 389-ds-base-1.2.9.9-1.el5 389-dsgw-1.1.7-2.el5 389-console-1.1.7-3.el5 389-adminutil-1.1.14-1.el5 389-admin-1.1.23-1.el5 389-admin-console-doc-1.1.8-1.el5 389-ds-1.2.1-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-ds-console-doc-1.2.6-1.el5 I got [root@386-100-16 dirsrv]# ldapsearch -x -D cn=Directory manager -w Password -b cn=config -s base lastLoginTime # extended LDIF # # LDAPv3 # base cn=config with scope baseObject # filter: (objectclass=*) # requesting: lastLoginTime # # config dn: cn=config # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 and [root@386-100-16 dirsrv]# grep -i lastlogintime /etc/dirsrv/slapd-386-100-16/schema/* /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime holds login state in user entries (GeneralizedTime syntax) /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime' I am not sure how to implement this though, please advice. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html Regards -- 389 users mailing list 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net http://www.splendor.net/) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Disable Inactive Users After 90 days
Hi Rich Your help is highly appreciated, I got it working, thanks for your patience. Regards On Wed, May 9, 2012 at 5:19 PM, Rich Megginson rmegg...@redhat.com wrote: On 05/09/2012 08:17 AM, Ali Jawad wrote: Hi Thanks Rich, just what I was searching for, I am facing a problem though ldapmodify: No such object (32) matched DN: dc=domain,dc=localat : [user@server ~]$ ldapmodify *-a* -D cn=directory manager -w secret -p 389 -h server.example.com -x dn: cn=Account Inactivation Policy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject*objectClass: accountpolicy**accountInactivityLimit: 2592000* cn: Account Inactivation Policy I am doing [root@386-100-16 dirsrv]# ldapmodify -D cn=directory manager -w password -p 389 -h x.x.x.x -x dn: cn=Account Inactivation Policy,dc=domain,dc=local objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy accountInactivityLimit: 2592000 cn: Account Inactivation Policy modifying entry cn=Account Inactivation Policy,dc=domain,dc=local ldapmodify: No such object (32) matched DN: dc=domain,dc=local Right. You are missing the ldapmodify -a - see the original instructions On Wed, May 9, 2012 at 4:47 PM, Rich Megginson rmegg...@redhat.comwrote: On 05/09/2012 07:45 AM, Ali Jawad wrote: Hi I have a requirement to disable inactive users after 90 days. I did read http://directory.fedoraproject.org/wiki/Account_Policy_Design but I am not sure whether this is a design proposal or the actual implementation. My DS version is : rpm -qa | grep 389 389-admin-console-1.1.8-1.el5 389-ds-base-1.2.9.9-1.el5 389-dsgw-1.1.7-2.el5 389-console-1.1.7-3.el5 389-adminutil-1.1.14-1.el5 389-admin-1.1.23-1.el5 389-admin-console-doc-1.1.8-1.el5 389-ds-1.2.1-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-ds-console-doc-1.2.6-1.el5 I got [root@386-100-16 dirsrv]# ldapsearch -x -D cn=Directory manager -w Password -b cn=config -s base lastLoginTime # extended LDIF # # LDAPv3 # base cn=config with scope baseObject # filter: (objectclass=*) # requesting: lastLoginTime # # config dn: cn=config # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 and [root@386-100-16 dirsrv]# grep -i lastlogintime /etc/dirsrv/slapd-386-100-16/schema/* /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime holds login state in user entries (GeneralizedTime syntax) /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime' I am not sure how to implement this though, please advice. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html Regards -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Disable Inactive Users After 90 days
Hi Rich Seems I still got a problem, the users can't logon anymore, I did try to dn: uid=username,ou=people,dc=domain,dc=local changetype: delete delete: lastLoginTime But I keep getting ldapmodify: extra lines at end (line 3 of entry uid=username,ou=people,dc=domain,dc=local) I checked for whitespaces, extra lines..but still same issue I did also check for lastLoginTime values in the users in the interface, but the value is empty..so not sure if this is the problem at all Regards On Wed, May 9, 2012 at 5:26 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Rich Your help is highly appreciated, I got it working, thanks for your patience. Regards On Wed, May 9, 2012 at 5:19 PM, Rich Megginson rmegg...@redhat.comwrote: On 05/09/2012 08:17 AM, Ali Jawad wrote: Hi Thanks Rich, just what I was searching for, I am facing a problem though ldapmodify: No such object (32) matched DN: dc=domain,dc=localat : [user@server ~]$ ldapmodify *-a* -D cn=directory manager -w secret -p 389 -h server.example.com -x dn: cn=Account Inactivation Policy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject*objectClass: accountpolicy**accountInactivityLimit: 2592000* cn: Account Inactivation Policy I am doing [root@386-100-16 dirsrv]# ldapmodify -D cn=directory manager -w password -p 389 -h x.x.x.x -x dn: cn=Account Inactivation Policy,dc=domain,dc=local objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy accountInactivityLimit: 2592000 cn: Account Inactivation Policy modifying entry cn=Account Inactivation Policy,dc=domain,dc=local ldapmodify: No such object (32) matched DN: dc=domain,dc=local Right. You are missing the ldapmodify -a - see the original instructions On Wed, May 9, 2012 at 4:47 PM, Rich Megginson rmegg...@redhat.comwrote: On 05/09/2012 07:45 AM, Ali Jawad wrote: Hi I have a requirement to disable inactive users after 90 days. I did read http://directory.fedoraproject.org/wiki/Account_Policy_Design but I am not sure whether this is a design proposal or the actual implementation. My DS version is : rpm -qa | grep 389 389-admin-console-1.1.8-1.el5 389-ds-base-1.2.9.9-1.el5 389-dsgw-1.1.7-2.el5 389-console-1.1.7-3.el5 389-adminutil-1.1.14-1.el5 389-admin-1.1.23-1.el5 389-admin-console-doc-1.1.8-1.el5 389-ds-1.2.1-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-ds-console-doc-1.2.6-1.el5 I got [root@386-100-16 dirsrv]# ldapsearch -x -D cn=Directory manager -w Password -b cn=config -s base lastLoginTime # extended LDIF # # LDAPv3 # base cn=config with scope baseObject # filter: (objectclass=*) # requesting: lastLoginTime # # config dn: cn=config # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 and [root@386-100-16 dirsrv]# grep -i lastlogintime /etc/dirsrv/slapd-386-100-16/schema/* /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime holds login state in user entries (GeneralizedTime syntax) /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime' I am not sure how to implement this though, please advice. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html Regards -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Disable Inactive Users After 90 days
On 05/09/2012 10:09 AM, Ali Jawad wrote: Hi Rich Seems I still got a problem, the users can't logon anymore, I did try to dn: uid=username,ou=people,dc=domain,dc=local changetype: delete delete: lastLoginTime But I keep getting ldapmodify: extra lines at end (line 3 of entry uid=username,ou=people,dc=domain,dc=local) I checked for whitespaces, extra lines..but still same issue I did also check for lastLoginTime values in the users in the interface, but the value is empty..so not sure if this is the problem at all does ldapmodify -d 1 give any more useful information? Regards On Wed, May 9, 2012 at 5:26 PM, Ali Jawad ali.ja...@splendor.net mailto:ali.ja...@splendor.net wrote: Hi Rich Your help is highly appreciated, I got it working, thanks for your patience. Regards On Wed, May 9, 2012 at 5:19 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 05/09/2012 08:17 AM, Ali Jawad wrote: Hi Thanks Rich, just what I was searching for, I am facing a problem though ldapmodify: No such object (32) matched DN: dc=domain,dc=localat : [user@server ~]$ ldapmodify*-a* -D cn=directory manager -w secret -p 389 -hserver.example.com http://server.example.com -x dn: cn=Account Inactivation Policy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject *objectClass: accountpolicy* *accountInactivityLimit: 2592000* cn: Account Inactivation Policy I am doing [root@386-100-16 dirsrv]# ldapmodify -D cn=directory manager -w password -p 389 -h x.x.x.x -x dn: cn=Account Inactivation Policy,dc=domain,dc=local objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy accountInactivityLimit: 2592000 cn: Account Inactivation Policy modifying entry cn=Account Inactivation Policy,dc=domain,dc=local ldapmodify: No such object (32) matched DN: dc=domain,dc=local Right. You are missing the ldapmodify -a - see the original instructions On Wed, May 9, 2012 at 4:47 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 05/09/2012 07:45 AM, Ali Jawad wrote: Hi I have a requirement to disable inactive users after 90 days. I did read http://directory.fedoraproject.org/wiki/Account_Policy_Design but I am not sure whether this is a design proposal or the actual implementation. My DS version is : rpm -qa | grep 389 389-admin-console-1.1.8-1.el5 389-ds-base-1.2.9.9-1.el5 389-dsgw-1.1.7-2.el5 389-console-1.1.7-3.el5 389-adminutil-1.1.14-1.el5 389-admin-1.1.23-1.el5 389-admin-console-doc-1.1.8-1.el5 389-ds-1.2.1-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-ds-console-doc-1.2.6-1.el5 I got [root@386-100-16 dirsrv]# ldapsearch -x -D cn=Directory manager -w Password -b cn=config -s base lastLoginTime # extended LDIF # # LDAPv3 # base cn=config with scope baseObject # filter: (objectclass=*) # requesting: lastLoginTime # # config dn: cn=config # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 and [root@386-100-16 dirsrv]# grep -i lastlogintime /etc/dirsrv/slapd-386-100-16/schema/* /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime holds login state in user entries (GeneralizedTime syntax) /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime' I am not sure how to implement this though, please advice. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html Regards -- 389 users mailing list 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net http://www.splendor.net/) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net
Re: [389-users] Disable Inactive Users After 90 days
Are you doing this via an ldif file or stdin? Try echo -e dn: uid=username,ou=people,dc=domain,dc=local\nchangetype: delete\ndelete: lastLoginTime\n\n | ldapmodify -x -h yourhost -Dcn=directory manager -wPaSsWoRd Jim On Wed, May 9, 2012 at 11:09 AM, Rich Megginson rmegg...@redhat.com wrote: On 05/09/2012 10:09 AM, Ali Jawad wrote: Hi Rich Seems I still got a problem, the users can't logon anymore, I did try to dn: uid=username,ou=people,dc=domain,dc=local changetype: delete delete: lastLoginTime But I keep getting ldapmodify: extra lines at end (line 3 of entry uid=username,ou=people,dc=domain,dc=local) I checked for whitespaces, extra lines..but still same issue I did also check for lastLoginTime values in the users in the interface, but the value is empty..so not sure if this is the problem at all does ldapmodify -d 1 give any more useful information? Regards On Wed, May 9, 2012 at 5:26 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Rich Your help is highly appreciated, I got it working, thanks for your patience. Regards On Wed, May 9, 2012 at 5:19 PM, Rich Megginson rmegg...@redhat.comwrote: On 05/09/2012 08:17 AM, Ali Jawad wrote: Hi Thanks Rich, just what I was searching for, I am facing a problem though ldapmodify: No such object (32) matched DN: dc=domain,dc=localat : [user@server ~]$ ldapmodify *-a* -D cn=directory manager -w secret -p 389 -h server.example.com -x dn: cn=Account Inactivation Policy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject*objectClass: accountpolicy**accountInactivityLimit: 2592000* cn: Account Inactivation Policy I am doing [root@386-100-16 dirsrv]# ldapmodify -D cn=directory manager -w password -p 389 -h x.x.x.x -x dn: cn=Account Inactivation Policy,dc=domain,dc=local objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy accountInactivityLimit: 2592000 cn: Account Inactivation Policy modifying entry cn=Account Inactivation Policy,dc=domain,dc=local ldapmodify: No such object (32) matched DN: dc=domain,dc=local Right. You are missing the ldapmodify -a - see the original instructions On Wed, May 9, 2012 at 4:47 PM, Rich Megginson rmegg...@redhat.comwrote: On 05/09/2012 07:45 AM, Ali Jawad wrote: Hi I have a requirement to disable inactive users after 90 days. I did read http://directory.fedoraproject.org/wiki/Account_Policy_Design but I am not sure whether this is a design proposal or the actual implementation. My DS version is : rpm -qa | grep 389 389-admin-console-1.1.8-1.el5 389-ds-base-1.2.9.9-1.el5 389-dsgw-1.1.7-2.el5 389-console-1.1.7-3.el5 389-adminutil-1.1.14-1.el5 389-admin-1.1.23-1.el5 389-admin-console-doc-1.1.8-1.el5 389-ds-1.2.1-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-ds-console-doc-1.2.6-1.el5 I got [root@386-100-16 dirsrv]# ldapsearch -x -D cn=Directory manager -w Password -b cn=config -s base lastLoginTime # extended LDIF # # LDAPv3 # base cn=config with scope baseObject # filter: (objectclass=*) # requesting: lastLoginTime # # config dn: cn=config # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 and [root@386-100-16 dirsrv]# grep -i lastlogintime /etc/dirsrv/slapd-386-100-16/schema/* /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime holds login state in user entries (GeneralizedTime syntax) /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime' I am not sure how to implement this though, please advice. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html Regards -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Disable Inactive Users After 90 days
Stdin, problem is even new users cant register anymore. Not just existing ones..will tset your suggestion Regards On Wed, May 9, 2012 at 7:13 PM, Jim Finn jamespf...@gmail.com wrote: Are you doing this via an ldif file or stdin? Try echo -e dn: uid=username,ou=people,dc=domain,dc=local\nchangetype: delete\ndelete: lastLoginTime\n\n | ldapmodify -x -h yourhost -Dcn=directory manager -wPaSsWoRd Jim On Wed, May 9, 2012 at 11:09 AM, Rich Megginson rmegg...@redhat.comwrote: On 05/09/2012 10:09 AM, Ali Jawad wrote: Hi Rich Seems I still got a problem, the users can't logon anymore, I did try to dn: uid=username,ou=people,dc=domain,dc=local changetype: delete delete: lastLoginTime But I keep getting ldapmodify: extra lines at end (line 3 of entry uid=username,ou=people,dc=domain,dc=local) I checked for whitespaces, extra lines..but still same issue I did also check for lastLoginTime values in the users in the interface, but the value is empty..so not sure if this is the problem at all does ldapmodify -d 1 give any more useful information? Regards On Wed, May 9, 2012 at 5:26 PM, Ali Jawad ali.ja...@splendor.netwrote: Hi Rich Your help is highly appreciated, I got it working, thanks for your patience. Regards On Wed, May 9, 2012 at 5:19 PM, Rich Megginson rmegg...@redhat.comwrote: On 05/09/2012 08:17 AM, Ali Jawad wrote: Hi Thanks Rich, just what I was searching for, I am facing a problem though ldapmodify: No such object (32) matched DN: dc=domain,dc=localat : [user@server ~]$ ldapmodify *-a* -D cn=directory manager -w secret -p 389 -h server.example.com -x dn: cn=Account Inactivation Policy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject*objectClass: accountpolicy**accountInactivityLimit: 2592000* cn: Account Inactivation Policy I am doing [root@386-100-16 dirsrv]# ldapmodify -D cn=directory manager -w password -p 389 -h x.x.x.x -x dn: cn=Account Inactivation Policy,dc=domain,dc=local objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy accountInactivityLimit: 2592000 cn: Account Inactivation Policy modifying entry cn=Account Inactivation Policy,dc=domain,dc=local ldapmodify: No such object (32) matched DN: dc=domain,dc=local Right. You are missing the ldapmodify -a - see the original instructions On Wed, May 9, 2012 at 4:47 PM, Rich Megginson rmegg...@redhat.comwrote: On 05/09/2012 07:45 AM, Ali Jawad wrote: Hi I have a requirement to disable inactive users after 90 days. I did read http://directory.fedoraproject.org/wiki/Account_Policy_Design but I am not sure whether this is a design proposal or the actual implementation. My DS version is : rpm -qa | grep 389 389-admin-console-1.1.8-1.el5 389-ds-base-1.2.9.9-1.el5 389-dsgw-1.1.7-2.el5 389-console-1.1.7-3.el5 389-adminutil-1.1.14-1.el5 389-admin-1.1.23-1.el5 389-admin-console-doc-1.1.8-1.el5 389-ds-1.2.1-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-ds-console-doc-1.2.6-1.el5 I got [root@386-100-16 dirsrv]# ldapsearch -x -D cn=Directory manager -w Password -b cn=config -s base lastLoginTime # extended LDIF # # LDAPv3 # base cn=config with scope baseObject # filter: (objectclass=*) # requesting: lastLoginTime # # config dn: cn=config # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 and [root@386-100-16 dirsrv]# grep -i lastlogintime /etc/dirsrv/slapd-386-100-16/schema/* /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime holds login state in user entries (GeneralizedTime syntax) /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime' I am not sure how to implement this though, please advice. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html Regards -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut,
Re: [389-users] Disable Inactive Users After 90 days
Hi Thanks Rich, just what I was searching for, I am facing a problem though ldapmodify: No such object (32) matched DN: dc=domain,dc=localat : [user@server ~]$ ldapmodify *-a* -D cn=directory manager -w secret -p 389 -h server.example.com -x dn: cn=Account Inactivation Policy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject*objectClass: accountpolicy**accountInactivityLimit: 2592000* cn: Account Inactivation Policy I am doing [root@386-100-16 dirsrv]# ldapmodify -D cn=directory manager -w password -p 389 -h x.x.x.x -x dn: cn=Account Inactivation Policy,dc=domain,dc=local objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy accountInactivityLimit: 2592000 cn: Account Inactivation Policy modifying entry cn=Account Inactivation Policy,dc=domain,dc=local ldapmodify: No such object (32) matched DN: dc=domain,dc=local On Wed, May 9, 2012 at 4:47 PM, Rich Megginson rmegg...@redhat.com wrote: On 05/09/2012 07:45 AM, Ali Jawad wrote: Hi I have a requirement to disable inactive users after 90 days. I did read http://directory.fedoraproject.org/wiki/Account_Policy_Design but I am not sure whether this is a design proposal or the actual implementation. My DS version is : rpm -qa | grep 389 389-admin-console-1.1.8-1.el5 389-ds-base-1.2.9.9-1.el5 389-dsgw-1.1.7-2.el5 389-console-1.1.7-3.el5 389-adminutil-1.1.14-1.el5 389-admin-1.1.23-1.el5 389-admin-console-doc-1.1.8-1.el5 389-ds-1.2.1-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-ds-console-doc-1.2.6-1.el5 I got [root@386-100-16 dirsrv]# ldapsearch -x -D cn=Directory manager -w Password -b cn=config -s base lastLoginTime # extended LDIF # # LDAPv3 # base cn=config with scope baseObject # filter: (objectclass=*) # requesting: lastLoginTime # # config dn: cn=config # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 and [root@386-100-16 dirsrv]# grep -i lastlogintime /etc/dirsrv/slapd-386-100-16/schema/* /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime holds login state in user entries (GeneralizedTime syntax) /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime' I am not sure how to implement this though, please advice. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html Regards -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users