This topic contains 1 reply, has 2 voices, and was last updated by  Bill Nelson 4 months ago.

  • Author
    Posts
  • #25852
     vliefooghe 
    Participant

    Hello,

    I am working on a migration from ODSEE to Forgerock DS.
    I see in the log file that some queries return the nsAccountLock attribute :

    
    uid=USER1,ou=people,o=MyCompany,c=fr" scope=0 filter="(objectClass=*)" attrs="* isMemberOf nsAccountLock"

    I know that in DS, such attribute does not exist anymore, replaced by ds-pwp-account-disabled.

    Is there any mean, thru Virtual Attribute, to create a “mirror” of ds-pwp-account-disabled in nsAccountLock, such that we don’t have to change our applications ?

    Thanks,

    #25853
     Bill Nelson 
    Participant

    One easy way to do this (look the other way, @ludo) is to simply set an alias for the operational attribute, ds-pwp-account-disabled in the 02-config.ldif file as follows:

    02-config.ldif:
    attributeTypes: ( 1.3.6.1.4.1.26027.1.1.166
    NAME ( ‘ds-pwp-account-disabled’ ‘nsAccountLock’ )
    EQUALITY booleanMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
    SINGLE-VALUE
    USAGE directoryOperation
    X-ORIGIN ‘OpenDS Directory Server’ )

    Then your applications can still query the nsAccountLock attribute and they would return the values contained in the ds-pwp-account-disabled operational attribute – which would be “true” or empty (i.e. the value is missing). I don’t remember if this is the behavior from ODSEE or not, but if you are ok with this, then it is an easy approach.

    Now having said that, if you make this change, you will need to “re-make” it should you upgrade as it is possible that this configuration file will be overwritten during the upgrade process.

    Here are examples of the manage-account and ldapsearch commands that demonstrate this approach:

    1. Determine the Initial State of the User

    ./manage-account -p 1444 -D “cn=Directory Manager” -w XXXXXX get-account-is-disabled -b uid=bnelson,ou=people,dc=example,dc=com -X
    Account Is Disabled: false

    ./ldapsearch -p 1389 -D “cn=Directory Manager” -w XXXXXX -b uid=bnelson,ou=people,dc=example,dc=com -s sub objectclass=* ds-pwp-account-disabled
    dn: uid=bnelson,ou=people,dc=example,dc=com

    Note: The user is NOT disabled.

    2. Disable the User Account

    ./manage-account -p 1444 -D “cn=Directory Manager” -w XXXXXX set-account-is-disabled -O true -b uid=bnelson,ou=people,dc=example,dc=com -X
    Account Is Disabled: true

    ./manage-account -p 1444 -D “cn=Directory Manager” -w XXXXXX get-account-is-disabled -b uid=bnelson,ou=people,dc=example,dc=com -X
    Account Is Disabled: true

    ./ldapsearch -p 1389 -D “cn=Directory Manager” -w XXXXXX -b uid=bnelson,ou=people,dc=example,dc=com -s sub objectclass=* ds-pwp-account-disabled
    dn: uid=bnelson,ou=people,dc=example,dc=com
    ds-pwp-account-disabled: true

    Note: The User is DISABLED.

    3. Determine the value of the alias, nsAccountLock

    ./ldapsearch -p 1389 -D “cn=Directory Manager” -w XXXXXX -b uid=bnelson,ou=people,dc=example,dc=com -s sub objectclass=* nsAccountLock
    dn: uid=bnelson,ou=people,dc=example,dc=com
    nsAccountLock: true

    Note: The alias works.

    4. Enable the User Account.

    ./manage-account -p 1444 -D “cn=Directory Manager” -w XXXXXX set-account-is-disabled -O false -b uid=bnelson,ou=people,dc=example,dc=com -X
    Account Is Disabled: false

    ./manage-account -p 1444 -D “cn=Directory Manager” -w XXXXXX get-account-is-disabled -b uid=bnelson,ou=people,dc=example,dc=com -X
    Account Is Disabled: false

    ./ldapsearch -p 1389 -D “cn=Directory Manager” -w XXXXXX -b uid=bnelson,ou=people,dc=example,dc=com -s sub objectclass=* ds-pwp-account-disabled
    dn: uid=bnelson,ou=people,dc=example,dc=com

    ./ldapsearch -p 1389 -D “cn=Directory Manager” -w XXXXXX -b uid=bnelson,ou=people,dc=example,dc=com -s sub objectclass=* nsAccountLock
    dn: uid=bnelson,ou=people,dc=example,dc=com

    Note: the account is NOT DISABLED (and nsAccountLock & ds-pwp-account-disabled both return the same values)

    • This reply was modified 4 months ago by  Bill Nelson.
Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?