For the delete statement I got ldapmodify: No such attribute (16) Which makes sense since I could not see an attribute in GUI as well. Not sure what is blocking logons though. Regards
On Wed, May 9, 2012 at 7:23 PM, Ali Jawad <[email protected]> wrote: > Hi Jim > Thanks for the update I got a similar input from Rich as well, the thing > is I wanted to accomplish to inactivate user accounts that do not logon for > X days, after following the document existing and new users can not logon > anymore. Not sure what to look for though. Will try the delete statement > Regards > > > On Wed, May 9, 2012 at 7:20 PM, Jim Finn <[email protected]> wrote: > >> Actually, I just re-read what you are trying to do... >> >> " Changetype: delete " is intended to delete the entire entry, not an >> attribute. >> >> You're receiving that error because there should be no further >> instruction after a " Changetype: delete " >> >> I believe what you are attempting to do is remove the lastLoginTime >> attribute. You would accomplish that like this: >> >> dn: uid=username,ou=people,dc=domain,dc=local >> changetype: modify >> delete: lastLoginTime >> >> Jim >> >> On Wed, May 9, 2012 at 11:13 AM, Jim Finn <[email protected]> wrote: >> >>> Are you doing this via an ldif file or stdin? >>> >>> Try >>> echo -e "dn: uid=username,ou=people,dc=domain,dc=local\nchangetype: >>> delete\ndelete: lastLoginTime\n\n" | ldapmodify -x -h yourhost >>> -D"cn=directory manager" -wPaSsWoRd >>> >>> Jim >>> >>> On Wed, May 9, 2012 at 11:09 AM, Rich Megginson <[email protected]>wrote: >>> >>>> On 05/09/2012 10:09 AM, Ali Jawad wrote: >>>> >>>> Hi Rich >>>> Seems I still got a problem, the users can't logon anymore, I did try >>>> to >>>> >>>> dn: uid=username,ou=people,dc=domain,dc=local >>>> changetype: delete >>>> delete: lastLoginTime >>>> >>>> But I keep getting >>>> >>>> ldapmodify: extra lines at end (line 3 of entry >>>> "uid=username,ou=people,dc=domain,dc=local") >>>> >>>> I checked for whitespaces, extra lines..but still same issue >>>> >>>> I did also check for lastLoginTime values in the users in the >>>> interface, but the value is empty..so not sure if this is the problem at >>>> all >>>> >>>> >>>> does ldapmodify -d 1 give any more useful information? >>>> >>>> >>>> >>>> Regards >>>> >>>> >>>> >>>> >>>> >>>> On Wed, May 9, 2012 at 5:26 PM, Ali Jawad <[email protected]>wrote: >>>> >>>>> Hi Rich >>>>> Your help is highly appreciated, I got it working, thanks for your >>>>> patience. >>>>> Regards >>>>> >>>>> >>>>> On Wed, May 9, 2012 at 5:19 PM, Rich Megginson <[email protected]>wrote: >>>>> >>>>>> On 05/09/2012 08:17 AM, Ali Jawad wrote: >>>>>> >>>>>> Hi >>>>>> Thanks Rich, just what I was searching for, I am facing a problem >>>>>> though "ldapmodify: No such object (32) matched DN: >>>>>> dc=domain,dc=local"at : >>>>>> >>>>>> >>>>>> [user@server ~]$ ldapmodify *-a* -D "cn=directory manager" -w secret -p >>>>>> 389 -h server.example.com -x >>>>>> >>>>>> dn: cn=Account Inactivation Policy,dc=example,dc=com >>>>>> >>>>>> objectClass: top >>>>>> objectClass: ldapsubentry >>>>>> objectClass: extensibleObject*objectClass: >>>>>> accountpolicy**accountInactivityLimit: 2592000* >>>>>> cn: Account Inactivation Policy >>>>>> >>>>>> >>>>>> I am doing >>>>>> >>>>>> [root@386-100-16 dirsrv]# ldapmodify -D "cn=directory manager" -w >>>>>> password -p 389 -h x.x.x.x -x >>>>>> >>>>>> dn: cn=Account Inactivation Policy,dc=domain,dc=local >>>>>> objectClass: top >>>>>> objectClass: ldapsubentry >>>>>> objectClass: extensibleObject >>>>>> objectClass: accountpolicy >>>>>> accountInactivityLimit: 2592000 >>>>>> cn: Account Inactivation Policy >>>>>> modifying entry "cn=Account Inactivation Policy,dc=domain,dc=local" >>>>>> >>>>>> ldapmodify: No such object (32) >>>>>> matched DN: dc=domain,dc=local >>>>>> >>>>>> >>>>>> Right. You are missing the ldapmodify -a - see the original >>>>>> instructions >>>>>> >>>>>> >>>>>> >>>>>> On Wed, May 9, 2012 at 4:47 PM, Rich Megginson >>>>>> <[email protected]>wrote: >>>>>> >>>>>>> On 05/09/2012 07:45 AM, Ali Jawad wrote: >>>>>>> >>>>>>> Hi >>>>>>> I have a requirement to disable inactive users after 90 days. I did >>>>>>> read http://directory.fedoraproject.org/wiki/Account_Policy_Design >>>>>>> but I am not sure whether this is a design proposal or the >>>>>>> actual implementation. >>>>>>> >>>>>>> My DS version is : >>>>>>> >>>>>>> rpm -qa | grep 389 >>>>>>> 389-admin-console-1.1.8-1.el5 >>>>>>> 389-ds-base-1.2.9.9-1.el5 >>>>>>> 389-dsgw-1.1.7-2.el5 >>>>>>> 389-console-1.1.7-3.el5 >>>>>>> 389-adminutil-1.1.14-1.el5 >>>>>>> 389-admin-1.1.23-1.el5 >>>>>>> 389-admin-console-doc-1.1.8-1.el5 >>>>>>> 389-ds-1.2.1-1.el5 >>>>>>> 389-ds-base-libs-1.2.9.9-1.el5 >>>>>>> 389-ds-console-1.2.6-1.el5 >>>>>>> 389-ds-console-doc-1.2.6-1.el5 >>>>>>> >>>>>>> I got >>>>>>> >>>>>>> [root@386-100-16 dirsrv]# ldapsearch -x -D "cn=Directory manager" >>>>>>> -w Password -b "cn=config" -s base lastLoginTime >>>>>>> # extended LDIF >>>>>>> # >>>>>>> # LDAPv3 >>>>>>> # base <cn=config> with scope baseObject >>>>>>> # filter: (objectclass=*) >>>>>>> # requesting: lastLoginTime >>>>>>> # >>>>>>> >>>>>>> # config >>>>>>> dn: cn=config >>>>>>> >>>>>>> # search result >>>>>>> search: 2 >>>>>>> result: 0 Success >>>>>>> >>>>>>> # numResponses: 2 >>>>>>> # numEntries: 1 >>>>>>> >>>>>>> and >>>>>>> >>>>>>> [root@386-100-16 dirsrv]# grep -i lastlogintime >>>>>>> /etc/dirsrv/slapd-386-100-16/schema/* >>>>>>> /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## >>>>>>> lastLoginTime holds login state in user entries (GeneralizedTime syntax) >>>>>>> /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: >>>>>>> ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime' >>>>>>> >>>>>>> I am not sure how to implement this though, please advice. >>>>>>> >>>>>>> >>>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html >>>>>>> >>>>>>> >>>>>>> Regards >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> 389 users mailing >>>>>>> [email protected]https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Ali Jawad >>>>>> * >>>>>> *Information Systems Manager* >>>>>> *Splendor Telecom (www.splendor.net) >>>>>> Beirut, Lebanon >>>>>> Phone: +9611373725/ext 116 >>>>>> FAX: +9611375554* >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Ali Jawad >>>>> * >>>>> *Information Systems Manager* >>>>> *Splendor Telecom (www.splendor.net) >>>>> Beirut, Lebanon >>>>> Phone: +9611373725/ext 116 >>>>> FAX: +9611375554* >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Ali Jawad >>>> * >>>> *Information Systems Manager* >>>> *Splendor Telecom (www.splendor.net) >>>> Beirut, Lebanon >>>> Phone: +9611373725/ext 116 >>>> FAX: +9611375554* >>>> >>>> >>>> >>>> -- >>>> 389 users mailing list >>>> [email protected] >>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>> >>> >>> >> >> -- >> 389 users mailing list >> [email protected] >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> > > > > -- > *Ali Jawad > * > *Information Systems Manager* > *Splendor Telecom (www.splendor.net) > Beirut, Lebanon > Phone: +9611373725/ext 116 > FAX: +9611375554* > > -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
