Hi, we're definitely using an admin to bind 'uid=admin,ou=system' The schema has a read-only flag so I don't know if what I'm asking to do is even possible?
( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC 'The pwdPolicy subentry in effect for this object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-SCHEMA 'null' ) Regards, Carlo Accorsi -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kiran Ayyagari Sent: Tuesday, November 15, 2011 10:06 AM To: [email protected] Subject: Re: ApacheDS changing value of pwdPolicySubEntry after creation are you modifying this entry as a admin user? if not try modifying with a admin user connection/session let us know if there are any issues. On Mon, Nov 14, 2011 at 10:11 PM, Kiran Ayyagari <[email protected]> wrote: > sorry for the late reply, will take a look at this tomorrow and let > you know > > On Mon, Nov 14, 2011 at 9:08 AM, <[email protected]> wrote: >> Hi, I'm stuck on this issue, any feedback is most appreciated. >> >> I have two types of users - 'inside' and 'outside' . There exists a >> password policy for each type. >> When users are created, the pwdPolicySubEntry attribute is added with >> the DN of the relevant policy. - OK >> >> We have a case were users can be moved from inside to outside and vice versa. >> >> LdapContext.rename(strOldDn, strNewDn); >> >> Moving the user object as shown above works fine but I cannot figure out how >> to update the policy afterwards. >> >> Tried to replace or delete the attribute, the following exception occurs. >> [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for >> MessageType : MODIFY_REQUEST Message ID : 45 Modify Request Object : >> 'uid=1320878789594,ou=users,ou=ext,o=cpro' >> Modification[0] >> Operation : replace >> Modification pwdPolicySubEntry: >> ads-pwdId=cproint,ou=passwordPolicies,ads-interceptorId=authenticatio >> nInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config >> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@878a >> d1e1<mailto:org.apache.directory.shared.ldap.model.message.ModifyRequ >> estImpl@878ad1e1>: ERR_52 Cannot modify the attribute : >> ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' >> DESC The pwdPolicy subentry in effect for this object EQUALITY >> distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 >> SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ] >> >> Is there a way to do this without creating a new entry and copying all the >> attributes? >> >> More generally, is there an administrative type connection in which >> operational attributes can be updated? >> >> Thanks Carlo >> >> > > > > -- > Kiran Ayyagari > -- Kiran Ayyagari
