Hi JimThanks for the update I got a similar input from Rich as well, the thing is I wanted to accomplish to inactivate user accounts that do not logon for X days, after following the document existing and new users can not logon anymore. Not sure what to look for though. Will try the delete statement
RegardsOn Wed, May 9, 2012 at 7:20 PM, Jim Finn <firstname.lastname@example.org> wrote:
Actually, I just re-read what you are trying to do..." Changetype: delete " is intended to delete the entire entry, not an attribute.You're receiving that error because there should be no further instruction after a " Changetype: delete "I believe what you are attempting to do is remove the lastLoginTime attribute. You would accomplish that like this:dn: uid=username,ou=people,dc=domain,dc=localchangetype: modifydelete: lastLoginTimeJim
On Wed, May 9, 2012 at 11:13 AM, Jim Finn <email@example.com> wrote:Are you doing this via an ldif file or stdin?Tryecho -e "dn: uid=username,ou=people,dc=domain,dc=local\nchangetype: delete\ndelete: lastLoginTime\n\n" | ldapmodify -x -h yourhost -D"cn=directory manager" -wPaSsWoRdJimOn Wed, May 9, 2012 at 11:09 AM, Rich Megginson <firstname.lastname@example.org> wrote:
On 05/09/2012 10:09 AM, Ali Jawad wrote:does ldapmodify -d 1 give any more useful information?Hi RichSeems I still got a problem, the users can't logon anymore, I did try to
dn: uid=username,ou=people,dc=domain,dc=localchangetype: deletedelete: lastLoginTime
But I keep getting
ldapmodify: extra lines at end (line 3 of entry "uid=username,ou=people,dc=domain,dc=local")
I checked for whitespaces, extra lines..but still same issue
I did also check for lastLoginTime values in the users in the interface, but the value is empty..so not sure if this is the problem at all
On Wed, May 9, 2012 at 5:26 PM, Ali Jawad <email@example.com> wrote:
Hi RichYour help is highly appreciated, I got it working, thanks for your patience.
On Wed, May 9, 2012 at 5:19 PM, Rich Megginson <firstname.lastname@example.org> wrote:
On 05/09/2012 08:17 AM, Ali Jawad wrote:HiThanks Rich, just what I was searching for, I am facing a problem though "ldapmodify: No such object (32) matched DN: dc=domain,dc=local"at :
[user@server ~]$ ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com -x dn: cn=Account Inactivation Policy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy accountInactivityLimit: 2592000 cn: Account Inactivation Policy
I am doing
[root@386-100-16 dirsrv]# ldapmodify -D "cn=directory manager" -w password -p 389 -h x.x.x.x -x
dn: cn=Account Inactivation Policy,dc=domain,dc=localobjectClass: topobjectClass: ldapsubentryobjectClass: extensibleObjectobjectClass: accountpolicyaccountInactivityLimit: 2592000cn: Account Inactivation Policymodifying entry "cn=Account Inactivation Policy,dc=domain,dc=local"
ldapmodify: No such object (32)matched DN: dc=domain,dc=local
Right. You are missing the ldapmodify -a - see the original instructions
On Wed, May 9, 2012 at 4:47 PM, Rich Megginson <email@example.com> wrote:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.htmlOn 05/09/2012 07:45 AM, Ali Jawad wrote:HiI have a requirement to disable inactive users after 90 days. I did read http://directory.fedoraproject.org/wiki/Account_Policy_Design but I am not sure whether this is a design proposal or the actual implementation.
My DS version is :
rpm -qa | grep 389389-admin-console-1.1.8-1.el5389-ds-base-184.108.40.206-1.el5389-dsgw-1.1.7-2.el5389-console-1.1.7-3.el5389-adminutil-1.1.14-1.el5389-admin-1.1.23-1.el5389-admin-console-doc-1.1.8-1.el5389-ds-1.2.1-1.el5389-ds-base-libs-220.127.116.11-1.el5389-ds-console-1.2.6-1.el5389-ds-console-doc-1.2.6-1.el5I got
[root@386-100-16 dirsrv]# ldapsearch -x -D "cn=Directory manager" -w Password -b "cn=config" -s base lastLoginTime# extended LDIF## LDAPv3# base <cn=config> with scope baseObject# filter: (objectclass=*)# requesting: lastLoginTime#
# configdn: cn=config
# search resultsearch: 2result: 0 Success
# numResponses: 2# numEntries: 1
[root@386-100-16 dirsrv]# grep -i lastlogintime /etc/dirsrv/slapd-386-100-16/schema/*/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime holds login state in user entries (GeneralizedTime syntax)/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: ( 2.16.840.1.113718.104.22.168.1.35 NAME 'lastLoginTime'
I am not sure how to implement this though, please advice.
-- 389 users mailing list firstname.lastname@example.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389 users mailing list
389 users mailing list
https://admin.fedoraproject.org/mailman/listinfo/389-users--Ali JawadInformation Systems ManagerSplendor Telecom (www.splendor.net)
Phone: +9611373725/ext 116