Hi Jim Thanks for the update I got a similar input from Rich as well, the thing is I wanted to accomplish to inactivate user accounts that do not logon for X days, after following the document existing and new users can not logon anymore. Not sure what to look for though. Will try the delete statement Regards
On Wed, May 9, 2012 at 7:20 PM, Jim Finn <[email protected]> wrote: > Actually, I just re-read what you are trying to do... > > " Changetype: delete " is intended to delete the entire entry, not an > attribute. > > You're receiving that error because there should be no further instruction > after a " Changetype: delete " > > I believe what you are attempting to do is remove the lastLoginTime > attribute. You would accomplish that like this: > > dn: uid=username,ou=people,dc=domain,dc=local > changetype: modify > delete: lastLoginTime > > Jim > > On Wed, May 9, 2012 at 11:13 AM, Jim Finn <[email protected]> wrote: > >> Are you doing this via an ldif file or stdin? >> >> Try >> echo -e "dn: uid=username,ou=people,dc=domain,dc=local\nchangetype: >> delete\ndelete: lastLoginTime\n\n" | ldapmodify -x -h yourhost >> -D"cn=directory manager" -wPaSsWoRd >> >> Jim >> >> On Wed, May 9, 2012 at 11:09 AM, Rich Megginson <[email protected]>wrote: >> >>> On 05/09/2012 10:09 AM, Ali Jawad wrote: >>> >>> Hi Rich >>> Seems I still got a problem, the users can't logon anymore, I did try to >>> >>> dn: uid=username,ou=people,dc=domain,dc=local >>> changetype: delete >>> delete: lastLoginTime >>> >>> But I keep getting >>> >>> ldapmodify: extra lines at end (line 3 of entry >>> "uid=username,ou=people,dc=domain,dc=local") >>> >>> I checked for whitespaces, extra lines..but still same issue >>> >>> I did also check for lastLoginTime values in the users in the >>> interface, but the value is empty..so not sure if this is the problem at all >>> >>> >>> does ldapmodify -d 1 give any more useful information? >>> >>> >>> >>> Regards >>> >>> >>> >>> >>> >>> On Wed, May 9, 2012 at 5:26 PM, Ali Jawad <[email protected]>wrote: >>> >>>> Hi Rich >>>> Your help is highly appreciated, I got it working, thanks for your >>>> patience. >>>> Regards >>>> >>>> >>>> On Wed, May 9, 2012 at 5:19 PM, Rich Megginson <[email protected]>wrote: >>>> >>>>> On 05/09/2012 08:17 AM, Ali Jawad wrote: >>>>> >>>>> Hi >>>>> Thanks Rich, just what I was searching for, I am facing a problem >>>>> though "ldapmodify: No such object (32) matched DN: dc=domain,dc=local"at >>>>> : >>>>> >>>>> >>>>> [user@server ~]$ ldapmodify *-a* -D "cn=directory manager" -w secret -p >>>>> 389 -h server.example.com -x >>>>> >>>>> dn: cn=Account Inactivation Policy,dc=example,dc=com >>>>> >>>>> objectClass: top >>>>> objectClass: ldapsubentry >>>>> objectClass: extensibleObject*objectClass: >>>>> accountpolicy**accountInactivityLimit: 2592000* >>>>> cn: Account Inactivation Policy >>>>> >>>>> >>>>> I am doing >>>>> >>>>> [root@386-100-16 dirsrv]# ldapmodify -D "cn=directory manager" -w >>>>> password -p 389 -h x.x.x.x -x >>>>> >>>>> dn: cn=Account Inactivation Policy,dc=domain,dc=local >>>>> objectClass: top >>>>> objectClass: ldapsubentry >>>>> objectClass: extensibleObject >>>>> objectClass: accountpolicy >>>>> accountInactivityLimit: 2592000 >>>>> cn: Account Inactivation Policy >>>>> modifying entry "cn=Account Inactivation Policy,dc=domain,dc=local" >>>>> >>>>> ldapmodify: No such object (32) >>>>> matched DN: dc=domain,dc=local >>>>> >>>>> >>>>> Right. You are missing the ldapmodify -a - see the original >>>>> instructions >>>>> >>>>> >>>>> >>>>> On Wed, May 9, 2012 at 4:47 PM, Rich Megginson <[email protected]>wrote: >>>>> >>>>>> On 05/09/2012 07:45 AM, Ali Jawad wrote: >>>>>> >>>>>> Hi >>>>>> I have a requirement to disable inactive users after 90 days. I did >>>>>> read http://directory.fedoraproject.org/wiki/Account_Policy_Design >>>>>> but I am not sure whether this is a design proposal or the >>>>>> actual implementation. >>>>>> >>>>>> My DS version is : >>>>>> >>>>>> rpm -qa | grep 389 >>>>>> 389-admin-console-1.1.8-1.el5 >>>>>> 389-ds-base-1.2.9.9-1.el5 >>>>>> 389-dsgw-1.1.7-2.el5 >>>>>> 389-console-1.1.7-3.el5 >>>>>> 389-adminutil-1.1.14-1.el5 >>>>>> 389-admin-1.1.23-1.el5 >>>>>> 389-admin-console-doc-1.1.8-1.el5 >>>>>> 389-ds-1.2.1-1.el5 >>>>>> 389-ds-base-libs-1.2.9.9-1.el5 >>>>>> 389-ds-console-1.2.6-1.el5 >>>>>> 389-ds-console-doc-1.2.6-1.el5 >>>>>> >>>>>> I got >>>>>> >>>>>> [root@386-100-16 dirsrv]# ldapsearch -x -D "cn=Directory manager" >>>>>> -w Password -b "cn=config" -s base lastLoginTime >>>>>> # extended LDIF >>>>>> # >>>>>> # LDAPv3 >>>>>> # base <cn=config> with scope baseObject >>>>>> # filter: (objectclass=*) >>>>>> # requesting: lastLoginTime >>>>>> # >>>>>> >>>>>> # config >>>>>> dn: cn=config >>>>>> >>>>>> # search result >>>>>> search: 2 >>>>>> result: 0 Success >>>>>> >>>>>> # numResponses: 2 >>>>>> # numEntries: 1 >>>>>> >>>>>> and >>>>>> >>>>>> [root@386-100-16 dirsrv]# grep -i lastlogintime >>>>>> /etc/dirsrv/slapd-386-100-16/schema/* >>>>>> /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## >>>>>> lastLoginTime holds login state in user entries (GeneralizedTime syntax) >>>>>> /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: >>>>>> ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime' >>>>>> >>>>>> I am not sure how to implement this though, please advice. >>>>>> >>>>>> >>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html >>>>>> >>>>>> >>>>>> Regards >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> 389 users mailing >>>>>> [email protected]https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Ali Jawad >>>>> * >>>>> *Information Systems Manager* >>>>> *Splendor Telecom (www.splendor.net) >>>>> Beirut, Lebanon >>>>> Phone: +9611373725/ext 116 >>>>> FAX: +9611375554* >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Ali Jawad >>>> * >>>> *Information Systems Manager* >>>> *Splendor Telecom (www.splendor.net) >>>> Beirut, Lebanon >>>> Phone: +9611373725/ext 116 >>>> FAX: +9611375554* >>>> >>>> >>> >>> >>> -- >>> *Ali Jawad >>> * >>> *Information Systems Manager* >>> *Splendor Telecom (www.splendor.net) >>> Beirut, Lebanon >>> Phone: +9611373725/ext 116 >>> FAX: +9611375554* >>> >>> >>> >>> -- >>> 389 users mailing list >>> [email protected] >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> >> >> > > -- > 389 users mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
