Rashid Mahmood created DIRSERVER-2306:
-----------------------------------------
Summary: Removing pwdAccountLockedTime Attribute with Technical
User
Key: DIRSERVER-2306
URL: https://issues.apache.org/jira/browse/DIRSERVER-2306
Project: Directory ApacheDS
Issue Type: Task
Affects Versions: 2.0.0-M24
Reporter: Rashid Mahmood
We are connecting to ApacheDS ldap with a technical user created with ACL
mentioned below. We are able to cover all of requirements except the
possibility for user to unlock his account, when he tried to unlock the
account, behind the scene techincal user is unable to removeĀ
pwdAccountLockedTime attribute and we receive Access Rights error.
We tried to switch Admin user but then it is contradicting with another
requirement of pwdHistory and user was able to reuse existing password during
password changeĀ https://issues.apache.org/jira/browse/DIRSERVER-2084
Is it possible to handle both requirements with one technical user? our
preference was to handle it with our own user instead of default admin
{code:java}
dn: cn=fdLdapAuthorizationRequirementsACISubentry,dc=abc,dc=xyz
changetype: add
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
cn: fdLdapAuthorizationRequirementsACISubentry
subtreeSpecification: {}
prescriptiveACI: {
identificationTag "directoryManagerFullAccessACI",
precedence 11,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
name { "uid=fdactmgr,ou=users,ou=system" }
},
userPermissions
{
{
protectedItems
{
entry, allUserAttributeTypesAndValues
},
grantsAndDenials
{
grantAdd, grantDiscloseOnError, grantRead,
grantRemove, grantBrowse, grantExport, grantImport,
grantModify, grantRename, grantReturnDN,
grantCompare, grantFilterMatch, grantInvoke
}
}
}
}
}
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
