Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Operational Attributes

882 views
Skip to first unread message

Leonardo Saavedra

unread,
Mar 28, 2006, 4:59:56 PM3/28/06
to
Hi all,

I'd like to know if it's possible to change "operational attributes"
working with a IDI function or something like that in a user in ITDS 5.2
server.


In example, it's possible with ldapmodify with "-k" modificator:


root@portillo /# ldapsearch -h portillo -D cn=root -w mypass -b o=siebel
uid=jcabezas pwdChangedTime

uid=JCABEZAS,cn=users,o=siebel
pwdChangedTime=20060328213003.000000Z


root@portillo /# ldapmodify -D cn=root -w mypass -k
dn: uid=JCABEZAS,cn=users,o=siebel
changetype: modify
replace: pwdChangedTime
pwdChangedTime: 20060228213003.000000Z

modifying entry uid=JCABEZAS,cn=users,o=siebel


root@portillo /# ldapsearch -h portillo -D cn=root -w mypass -b o=siebel
uid=jcabezas pwdChangedTime

uid=JCABEZAS,cn=users,o=siebel
pwdChangedTime=20060228213003.000000Z

Thanks

--
Leonardo Saavedra.

Jason Williams

unread,
Mar 28, 2006, 5:49:16 PM3/28/06
to
Leonardo,
Have you already pulled this attribute into the IDI work object?

You can pull the "operational attributes" into IDI by listing them in
the "Return Attributes" section of the connector. For example, if I
want to pullback all attributes, plus the "modifyTimestamp" operational
attribute I would this in the "Return Attribute" section.
---
*
modifyTimestamp
---

I personally wasn't able to find the "pwdChangedTime" attribute in my
directory.

Good luck,
Jason

jmc...@us.ibm.com

unread,
Mar 28, 2006, 7:49:28 PM3/28/06
to
From a JNDI perspective, you can modify attributes like pwdChangedTime.
The ldapmodify -k option is equivalent to attaching the "Server
Administration Control" to a modify request. This control has the OID
1.3.18.0.2.10.15 with no control value.

In JNDI you do this by creating a class implementing the
javax.naming.ldap.Control interface:
- getEncodedValue() returns null
- getID() returns the OID from above
- isCritical() probably returns true for this case

You then use the LdapContext.setRequestControls() method.

I know you can use ITDI methods to get the DirContext object for a LDAP
connector - which should return LdapContext. Use that object to set the
controls.

There may be a better way - from an ITDI perspective - to do this. I see
that ITDI has a LDAPControl class that looks useful for creating the
desired control: Just pass in the OID on the constructor. I don't know if
this class ties into ITDI elsewhere.

John McMeeking

Juan Paulo Cabezas

unread,
Apr 3, 2006, 3:08:26 PM4/3/06
to
Sorry but I'm not a Java Programmer (that's the point of using IDI), so
I have not been able to use the JNDI aproach...

Looking into the IDI API I found that I can get the ldap context by using:

var lcontext = ldapmodify.connector.getLdapContext(); (ldapmodify is a
connector on the AL).

and then I generate the control through

control = new
Packages.com.ibm.di.eventhandler.ldap.LDAPControl("1.3.18.0.2.10.15");


but there is not a setXXX on the IDI API. So I can't execute something like

lcontext.setRequestControls(control);

any other ideas ?

thanx


eso no mas

Eddie Hartman

unread,
Apr 4, 2006, 12:23:10 PM4/4/06
to
Hi Juan Paulo,

In TDI you specify the Operational Atts in the
LDAP Connector's Config/Connection tab in the
parameter called "Return attributes". Note that
you will need to specify all Attributes to return.
The operational ones must be listed by name, but
you can use an asterisk (*) to indicate that all
standard Attributes should be returned as well:

modifyTimeStamp
*

-Eddie

Juan Paulo Cabezas

unread,
Apr 4, 2006, 1:07:25 PM4/4/06
to
Thanx Eddie, but I have already done that... actually I configure the
return attributes with:

*
pwdreset
pwdfailuretime
pwdHistory
pwdGraceUseTime
pwdExpirationWarned
pwdAccountLockedTime
pwdChangedTime

The AL it's very simple ... I search for a user and the work object have
the info:

pwdChangedTime (replace):'20060331221739.000000Z'
sn (replace):'sadmin'
$dn (replace):'uid=sadmin,cn=users,o=siebel'
objectClass (replace):'top' 'inetOrgPerson' 'organizationalPerson'
'person' 'ePerson'
pwdReset (replace):'true'
givenName (replace):'Siebel'
1uid (replace):'sadmin'
pwdAccountLockedTime (replace):'20060331222757.000000Z'
cn (replace):'Administrador Siebel'
description (replace):'0-1'
pwdFailureTime (replace):'20060331222756.000000Z' '20060331222757.000000Z'
userPassword (replace): (\33\32\31\6d\6f\6d\69\61)

and then I try to modify the pwdChangedTime with the value:
20070331221739.000000Z

But I get a:

javax.naming.directory.SchemaViolationException: [LDAP: error code 65 -
Object Class Violation]; remaining name 'uid=sadmin,cn=users,o=siebel'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3036)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2757)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1457)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:273)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:191)
12:54:07 [ldapmodify] Update
javax.naming.directory.SchemaViolationException: [LDAP: error code 65 -
Object Class Violation]; remaining name 'uid=sadmin,cn=users,o=siebel'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3036)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2757)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1457)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:273)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:191)
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:165)
at com.ibm.di.connector.LDAPConnector.modEntry(Unknown Source)
at com.ibm.di.server.AssemblyLineComponent.modify(Unknown Source)
at com.ibm.di.server.AssemblyLineComponent.update(Unknown Source)
at com.ibm.di.server.AssemblyLine.msExecuteNextConnector(Unknown Source)
at com.ibm.di.server.AssemblyLine.executeMainStep(Unknown Source)
at com.ibm.di.server.AssemblyLine.executeMainLoop(Unknown Source)
at com.ibm.di.server.AssemblyLine.executeMainLoop(Unknown Source)
at com.ibm.di.server.AssemblyLine.executeAL(Unknown Source)
at com.ibm.di.server.AssemblyLine.run(Unknown Source)
12:54:07 Error in: NextConnectorOperation:
javax.naming.directory.SchemaViolationException: [LDAP: error code 65 -
Object Class Violation]; remaining name 'uid=sadmin,cn=users,o=siebel'
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:165)
at com.ibm.di.connector.LDAPConnector.modEntry(Unknown Source)
at com.ibm.di.server.AssemblyLineComponent.modify(Unknown Source)
at com.ibm.di.server.AssemblyLineComponent.update(Unknown Source)
at com.ibm.di.server.AssemblyLine.msExecuteNextConnector(Unknown Source)
at com.ibm.di.server.AssemblyLine.executeMainStep(Unknown Source)
at com.ibm.di.server.AssemblyLine.executeMainLoop(Unknown Source)
at com.ibm.di.server.AssemblyLine.executeMainLoop(Unknown Source)
at com.ibm.di.server.AssemblyLine.executeAL(Unknown Source)
at com.ibm.di.server.AssemblyLine.run(Unknown Source)


the logs of the server shows... (ibmslapd.log)

04/04/06 12:51:18 The attribute pwdChangedTime is not allowed for entry
uid=sadmin,cn=users,o=siebel.
04/04/06 12:51:18 Entry uid=sadmin,cn=users,o=siebel violates the schema
definition.

the audit.log shows...
AuditV2--2006-04-04-12:58:30.960-04:00--V3 Bind--bindDN:
cn=root--client: 192.168.50.115:4101--connectionID: 92--received:
2006-04-04-12:58:30.960-04:00--Success
name: cn=root
authenticationChoice: simple
AuditV2--2006-04-04-12:58:31.101-04:00--V3 Search--bindDN:
cn=root--client: 192.168.50.115:4101--connectionID: 92--received:
2006-04-04-12:58:31.096-04:00--Success
base: o=siebel
scope: wholeSubtree
derefAliases: neverDerefAliases
typesOnly: false
filter: (uid=SADMIN)
attributes: *, pwdreset, pwdfailuretime, pwdHistory, pwdGraceUseTime,
pwdExpirationWarned, pwdAccountLockedTime, pwdChangedTime
AuditV2--2006-04-04-12:58:31.111-04:00--V3 Modify--bindDN:
cn=root--client: 192.168.50.115:4101--connectionID: 92--received:
2006-04-04-12:58:31.108-04:00--Object class violation
object: uid=sadmin,cn=users,o=siebel
replace: pwdChangedTime
AuditV2--2006-04-04-12:58:31.160-04:00--V3 Unbind--bindDN:
cn=root--client: 192.168.50.115:4101--connectionID: 92--received:
2006-04-04-12:58:31.160-04:00--Success
AuditV2--2006-04-04-12:58:32.661-04:00--V3 Unbind--bindDN:
cn=root--client: 192.168.50.115:4100--connectionID: 91--received:
2006-04-04-12:58:32.661-04:00--Success

If I try to do the same thing trough the command line it works fine.

root@portillo>ldapmodify -k -D cn=root -w pwd
dn: uid=sadmin,cn=users,o=siebel
changetype: modify
replace: pwdChangedTime
pwdChangedTime: 20070331221739.000000Z

modifying entry uid=sadmin,cn=users,o=siebel


on the audit.log you can see...

AuditV2--2006-04-04-12:59:39.638-04:00--V3 Bind--bindDN:
cn=root--client: 10.20.30.116:32983--connectionID: 93--received:
2006-04-04-12:59:39.638-04:00--Success
controlType: 1.3.18.0.2.10.15
criticality: true
controlType: 1.3.6.1.4.1.42.2.27.8.5.1
criticality: false
name: cn=root
authenticationChoice: simple
AuditV2--2006-04-04-13:00:31.441-04:00--V3 Modify--bindDN:
cn=root--client: 10.20.30.116:32983--connectionID: 93--received:
2006-04-04-13:00:31.378-04:00--Success
controlType: 1.3.18.0.2.10.15
criticality: true
controlType: 1.3.6.1.4.1.42.2.27.8.5.1
criticality: false
object: uid=sadmin,cn=users,o=siebel
replace: pwdChangedTime
AuditV2--2006-04-04-13:00:33.028-04:00--V3 Unbind--bindDN:
cn=root--client: 10.20.30.116:32983--connectionID: 93--received:
2006-04-04-13:00:33.028-04:00--Succes


So I can do what I like to do from the command line, but not with IDI... :(


any ideas??
regards

eso no mas

Christian Chateauvieux

unread,
Apr 4, 2006, 5:23:19 PM4/4/06
to
Yes, Juan Paulo,

updating the pwdChangedTime attribute works on the command line, because
the -k option allows an update operation under conditions when the
operation would normally be refused (when the server is quiesced, or
when you're connected to a read-only replica, or when a non
user-modifiable attribute is changed, etc.) Typically the -k option is
used to override password policy settings or to prevent certain changes
from being replicated. And -k only works when connected as an administrator.

In Java or ITDI, the -k option effect can be obtained by setting the
Server Administration Control in the LDAP context. As John pointed out,
you can get the LDAP connection context by using the ITDI connector
methods.

co = thisConnector.connector.getLdapContext();

returns the context, instance of the
javax.naming.ldap.InitialLdapContext class, which has a
setRequestControls method. You should try using this method, documented
at
http://java.sun.com/j2se/1.4.2/docs/api/javax/naming/ldap/LdapContext.html#setRequestControls(javax.naming.ldap.Control[])

Note it is an array of Control objects you need to pass as an argument
of the method.

HTH,

Christian

0 new messages