info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Update user ibm-pwdIndividualPolicyDN from SDI AL
103 views
Skip to first unread message
mohan
Nov 5, 2015, 10:28:29 PM11/5/15
to
Hello All,
I am here with an another request for help with my SDI AL. I am trying to develop a SDI AL which will update user individual password DN with a static value "cn=custom-pwdpolicy,CN=IBMPOLICIES" when a password reset is performed.
I enabled IBM security directory server change-log functionality and used a changelog connector to trigger password reset (I am using a custom attribute call resetpwd=true) while updating password.
Once change-log receive a password change SDI will check if resetpwd=true, if it is true AL will get user $dn value and will try to update user ibm-pwdIndividualPolicyDN value with "cn=custom-pwdpolicy,CN=IBMPOLICIES".
The issue: I am able to trigger change password and but it fails to update user ibm-pwdIndividualPolicyDN attribute.
I tried to add value from SDS command line "idsmodify" which works fine but not when I update it from SDI.
22:07:12,104 ERROR - [LDAPConnector_1] CTGDIS810E handleException - cannot handle exception , update
javax.naming.OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]; Remaining name: 'uid=testuser,ou=Users,o=sample'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3139)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3025)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2832)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1470)
at
Thanks for your time and help!
Thanks,
Mohan-
I am here with an another request for help with my SDI AL. I am trying to develop a SDI AL which will update user individual password DN with a static value "cn=custom-pwdpolicy,CN=IBMPOLICIES" when a password reset is performed.
I enabled IBM security directory server change-log functionality and used a changelog connector to trigger password reset (I am using a custom attribute call resetpwd=true) while updating password.
Once change-log receive a password change SDI will check if resetpwd=true, if it is true AL will get user $dn value and will try to update user ibm-pwdIndividualPolicyDN value with "cn=custom-pwdpolicy,CN=IBMPOLICIES".
The issue: I am able to trigger change password and but it fails to update user ibm-pwdIndividualPolicyDN attribute.
I tried to add value from SDS command line "idsmodify" which works fine but not when I update it from SDI.
22:07:12,104 ERROR - [LDAPConnector_1] CTGDIS810E handleException - cannot handle exception , update
javax.naming.OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]; Remaining name: 'uid=testuser,ou=Users,o=sample'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3139)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3025)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2832)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1470)
at
Thanks for your time and help!
Thanks,
Mohan-
Franzw
Nov 6, 2015, 4:25:02 PM11/6/15
to
I did a presentation on this back in 2012 in Prague - let me go back into my archives to find some code (it will take a couple of days) that shows how to set the extension - be prepared that you probably need to use the TDS java toolkit although it SHOULD be possible to do the same using JNDI...
Regards
Franz Wolfhagen
PS. If I forget it remind me....
Krishna Koppisetty
Nov 10, 2015, 3:26:37 AM11/10/15
to
hello Franzw,
thank you very much for helping me out with this. Just wanted to check if you had a chance to look into this in your archives for the solution?
regards,
Mohan-
thank you very much for helping me out with this. Just wanted to check if you had a chance to look into this in your archives for the solution?
regards,
Mohan-
Franzw
Nov 10, 2015, 10:32:16 AM11/10/15
to
These examples are demonstrating using critical controls on an iterator mode ldap connector - so you have to work from here.
These put in the "before selection" hook (you need to find an appropriate hook for your case) :
// PersistentSearchControl example (works)
control = new com.ibm.ldap.bp.ctl.PersistentSearchControl(com.ibm.ldap.bp.ctl.PersistentSearchControl.ANY,false, false);
control.setCriticality(true);
controlArray = java.lang.reflect.Array.newInstance(control.getClass(), 1);
controlArray[0] = control;
thisConnector.connector.getLdapContext().setRequestControls(controlArray);
// SortedResultsControl example (works)
//control = new com.ibm.ldap.bp.ctl.SortedResultsControl("initials");
//control.setCriticality(true);
//controlArray = java.lang.reflect.Array.newInstance(control.getClass(), 1);
//controlArray[0] = control;
//thisConnector.connector.getLdapContext().setRequestControls(controlArray);
you will need to download the java toolkit for SDS and add it to your TDI solution to use these examples.
Now - you may be lucky that you only need to apply server admin control to update the pwdpolicy - this means that the following placed in the "before initialize" hook should do it :
thisConnector.connector.setServerAdminControl(true);
So try that out first.
I am sorry I do not have the time to make these examples more helpful - they could be done using pure javax methods but in that case you probably need to reference the controls in EAN.1 notation. Also the reflection can probably be avoided calling the static methods with their full class name.
HTH
Regards
Franz Wolfhagen
mohan
Nov 11, 2015, 12:11:03 PM11/11/15
to
Thanks again for taking time for this.
Mohan-
0 new messages