sorry for the late reply, will take a look at this tomorrow and let you know
On Mon, Nov 14, 2011 at 9:08 AM, <carlo.acco...@ibs-ag.com> wrote: > Hi, I'm stuck on this issue, any feedback is most appreciated. > > I have two types of users - 'inside' and 'outside' . There exists a password > policy for each type. > When users are created, the pwdPolicySubEntry attribute is added with the DN > of the relevant policy. - OK > > We have a case were users can be moved from inside to outside and vice versa. > > LdapContext.rename(strOldDn, strNewDn); > > Moving the user object as shown above works fine but I cannot figure out how > to update the policy afterwards. > > Tried to replace or delete the attribute, the following exception occurs. > [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : > MODIFY_REQUEST Message ID : 45 Modify Request > Object : 'uid=1320878789594,ou=users,ou=ext,o=cpro' > Modification[0] > Operation : replace > Modification pwdPolicySubEntry: > ads-pwdId=cproint,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config > org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@878ad1e1<mailto:org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@878ad1e1>: > ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( > 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC The pwdPolicy > subentry in effect for this object EQUALITY distinguishedNameMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE > directoryOperation ) ] > > Is there a way to do this without creating a new entry and copying all the > attributes? > > More generally, is there an administrative type connection in which > operational attributes can be updated? > > Thanks Carlo > > -- Kiran Ayyagari
