Re: [389-users] Disable Inactive Users After 90 days

Rich Megginson Wed, 09 May 2012 09:10:19 -0700

On 05/09/2012 10:09 AM, Ali Jawad wrote:

Hi Rich
Seems I still got a problem, the users can't logon anymore, I did try to
dn: uid=username,ou=people,dc=domain,dc=local
changetype: delete
delete: lastLoginTime

But I keep getting
ldapmodify: extra lines at end (line 3 of entry"uid=username,ou=people,dc=domain,dc=local")
I checked for whitespaces, extra lines..but still same issue
I did also check for lastLoginTime values in the users in theinterface, but the value is empty..so not sure if this is the problemat all


does ldapmodify -d 1 give any more useful information?


Regards

On Wed, May 9, 2012 at 5:26 PM, Ali Jawad <[email protected]<mailto:[email protected]>> wrote:


    Hi Rich
    Your help is highly appreciated, I got it working, thanks for your
    patience.
    Regards


    On Wed, May 9, 2012 at 5:19 PM, Rich Megginson
    <[email protected] <mailto:[email protected]>> wrote:

        On 05/09/2012 08:17 AM, Ali Jawad wrote:

        Hi
        Thanks Rich, just what I was searching for, I am facing a
        problem though "ldapmodify: No such object (32) matched DN:
        dc=domain,dc=local"at :

        [user@server ~]$ ldapmodify*-a*  -D "cn=directory manager" -w secret -p 389 
-hserver.example.com  <http://server.example.com>  -x

        dn: cn=Account Inactivation Policy,dc=example,dc=com

        objectClass: top
        objectClass: ldapsubentry
        objectClass: extensibleObject
        *objectClass: accountpolicy*
        *accountInactivityLimit: 2592000*
        cn: Account Inactivation Policy

        I am doing

        [root@386-100-16 dirsrv]# ldapmodify -D "cn=directory
        manager" -w password  -p 389 -h x.x.x.x   -x

        dn: cn=Account Inactivation Policy,dc=domain,dc=local
        objectClass: top
        objectClass: ldapsubentry
        objectClass: extensibleObject
        objectClass: accountpolicy
        accountInactivityLimit: 2592000
        cn: Account Inactivation Policy
        modifying entry "cn=Account Inactivation
        Policy,dc=domain,dc=local"

        ldapmodify: No such object (32)
                matched DN: dc=domain,dc=local


        Right.  You are missing the ldapmodify -a - see the original
        instructions


        On Wed, May 9, 2012 at 4:47 PM, Rich Megginson
        <[email protected] <mailto:[email protected]>> wrote:

            On 05/09/2012 07:45 AM, Ali Jawad wrote:

            Hi
            I have a requirement to disable inactive users after 90
            days. I did read

http://directory.fedoraproject.org/wiki/Account_Policy_Designbut I am not sure whether this is a design proposal or

            the actual implementation.

            My DS version is :

            rpm -qa | grep 389
            389-admin-console-1.1.8-1.el5
            389-ds-base-1.2.9.9-1.el5
            389-dsgw-1.1.7-2.el5
            389-console-1.1.7-3.el5
            389-adminutil-1.1.14-1.el5
            389-admin-1.1.23-1.el5
            389-admin-console-doc-1.1.8-1.el5
            389-ds-1.2.1-1.el5
            389-ds-base-libs-1.2.9.9-1.el5
            389-ds-console-1.2.6-1.el5
            389-ds-console-doc-1.2.6-1.el5

            I got

            [root@386-100-16 dirsrv]# ldapsearch -x -D "cn=Directory
            manager" -w Password -b "cn=config" -s base lastLoginTime
            # extended LDIF
            #
            # LDAPv3
            # base <cn=config> with scope baseObject
            # filter: (objectclass=*)
            # requesting: lastLoginTime
            #

            # config
            dn: cn=config

            # search result
            search: 2
            result: 0 Success

            # numResponses: 2
            # numEntries: 1

            and

            [root@386-100-16 dirsrv]# grep -i lastlogintime
            /etc/dirsrv/slapd-386-100-16/schema/*
            /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:##
            lastLoginTime holds login state in user entries
            (GeneralizedTime syntax)
            
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes:
            ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime'

            I am not sure how to implement this though, please advice.

            
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html


            Regards



            --
            389 users mailing list
            [email protected]  
<mailto:[email protected]>
            https://admin.fedoraproject.org/mailman/listinfo/389-users

--*Ali Jawad

        *
        *Information Systems Manager*
        *Splendor Telecom (www.splendor.net <http://www.splendor.net/>)
        Beirut, Lebanon
        Phone: +9611373725/ext 116
        FAX: +9611375554*

--*Ali Jawad

    *
    *Information Systems Manager*
    *Splendor Telecom (www.splendor.net <http://www.splendor.net/>)
    Beirut, Lebanon
    Phone: +9611373725/ext 116
    FAX: +9611375554*




--
*Ali Jawad
*
*Information Systems Manager*
*Splendor Telecom (www.splendor.net <http://www.splendor.net/>)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554*

--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Disable Inactive Users After 90 days

Reply via email to