August 2, 2015 at 12:56 am #4962Brad TumyParticipant
I am implementing a proof of concept where a user’s password policy (OpenDJ) will be modified via a patch from an onUpdate hook. I don’t seem to be able to update the ds-pwp-password-policy-dn attribute and want to confirm that it’s possible. I am able to write to other operation attributes so was assuming that I could.
“attributesToSynchronize” : [
“default” : “cn=Default Password Policy,cn=Password Policies,cn=config”,
“source” : “ds-pwp-password-policy-dn”,
“target” : “ds-pwp-password-policy-dn”
I am manually changing the password policy, in OpenDJ, to:
cn=Demo Pass Through Policy,cn=Password Policies,cn=config (a custom pass through policy)
and then to update I run a patch:
curl -X PATCH -H “X-OpenIDM-Username: openidm-admin” -H “X-OpenIDM-Password: xxxx”
“operation” : “replace”,
“field” : “/ds-pwp-password-policy-dn/”,
“value” : “cn=Default Password Policy,cn=Password Policies,cn=config”
Nothing is getting changed in OpenDJ.August 3, 2015 at 12:07 am #4964Bill NelsonParticipant
You should be able to perform this operation if your user has the appropriate ACIs. I was able to explicitly set this as the rootDN user with the ldapmodify command:
$ ldapmodify -D “cn=Directory Manager” -w ****** <ENTER>
dn: uid=bnelson,ou=People,dc=example,dc=com <ENTER>
changetype: modify <ENTER>
replace: ds-pwp-password-policy-dn <ENTER>
ds-pwp-password-policy-dn: cn=Example Corp User Password Policy,
cn=Password Policies,cn=config <ENTER>
or dynamically using virtual attributes and the appropriate filters for assignment. It may just be the permissions of the account you are using to connect from OpenIDM to OpenDJ.
BTW, please see both methods detailed in my blog entry at http://idmdude.com/2014/04/22/understanding-openam-and-opendj-account-lockout-behaviors/.
billAugust 9, 2015 at 8:01 pm #5063Brad TumyParticipant
Turns out that I had pwdAccountLockedTime (for another use case) in the provisioner file and OpenIDM was trying to write to that attribute as well. Once that attribute was flagged as NOT-UPDATEABLE I was able to update the password policy successfully.
You must be logged in to reply to this topic.