Le 17/01/2017 à 15:36, Mike Davis a écrit :
> I have set up a special user that has rights to modify details of another
> user. This prevents the need for our applications to log in as the admin
> user, while still allowing password resets and such.
>
>
>
> I'd like to give that user rights to delete the operational attribute
> pwdAccountLockedTime. I've created a subentry that allows the user to
> modify the password and such, but when I try to add in
> pwdAccountLockedTime, it's not allowing that to happen. The error message
> indicates that operational attributes cannot be modified by a user.
>
>
>
> Is there a way to allow for a user to delete that attribute?
no.
Here is the definition of this attributeType :
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime'
DESC 'The time an user account was locked'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
NO-USER-MODIFICATION <<<----------------
USAGE userApplications )
as you can see, it's forbidden by definition (which is defined in the
PasswordPolicy RFC draft).
> If not, is there a way to configure Apache DS to delete that attribute on
> a password change?
You should be able to modify this attribute if you send a modifyRequest
on the entry with a Password Policy control (1.3.6.1.4.1.42.2.27.8.5.1)).
--
Emmanuel Lecharny
Symas.com
directory.apache.org
