User Activation (and other modules) - Possible to delete an attribute?

140 views
Skip to first unread message

artvan...@gmail.com

unread,
May 12, 2014, 8:07:27 PM5/12/14
to pwm-g...@googlegroups.com
Note: I am currently using PWM 1.6.4 due to issues with RHDS and LdapChai. I'm hoping to test out 1.8 soon.

I have made good use of the User Activation Module and use it to preload locked accounts that can then be activated by the user. As such I use a couple of attributes to ensure only accounts that meet pre-defined criteria can be activated.

One thing that I have encountered is users who have their passwordexpiredtime attribute set to the past are repeatedly asked to set their password over and over. As such I would like to have the ability to remove the attribute entirely vis-a-vis the User Activation and/or Change Password's post write attributes.

However my attempts to set passwordexpiredtime= with no value doesn't seem to work and I was wondering if there was a way to delete attributes or a better way to tackle the problem entirely. I saw something about PwmMacros and thought maybe there is one to generate a datetime string (i.e. 201406301200Z) to properly set this.

PWM is awesome, thanks for your help and the product as a whole.

artvan...@gmail.com

unread,
May 12, 2014, 8:25:56 PM5/12/14
to pwm-g...@googlegroups.com, artvan...@gmail.com
Looking a bot more closely I am noticing that I do not have that attribute in my ACI for PwmProxy:

dn: ou=People,dc=domain,dc=local
changetype: modify
add: aci
aci: (targetattr = "*") (target = "ldap:///ou=People,dc=domain,dc=local") (version 3.0; acl "PWM Proxy Search"; allow (read,search)(userdn = "ldap:///uid=pwmproxy,ou=People,dc=domain,dc=local") and (dns="ldap.domain.local" or dns="ldap2.domain.local");)
aci: (targetattr = "*") (target = "ldap:///ou=People,dc=domain,dc=local") (version 3.0; acl "PWM Proxy Add Users"; allow (add)(userdn = "ldap:///uid=pwmproxy,ou=People,dc=domain,dc=local") and (dns="ldap.domain.local" or dns="ldap2.domain.local");)
aci: (targetattr = "pwmGUID || pwmNewRequest || pwmRequestedAccess || pwmLastPwdUpdate || userPassword || objectClass || pwmEventLog || nsaccountlock") (target = "ldap:///ou=People,dc=domain,dc=local") (version 3.0; acl "PWM Proxy Reset Password"; allow (write)(userdn = "ldap:///uid=pwmproxy,ou=People,dc=domain,dc=local") and (dns="ldap.domain.local" or dns="ldap2.domain.local");)
aci: (targetattr ="userpassword || telephonenumber || facsimiletelephonenumber || pwmResponseSet || pwmRequestedAccess || pwmNewRequest")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)

You may note I have a couple of custom attributes I use to flag newly activated accounts, but am wondering if pwmproxy also needs write access to passwordexpirationtime?

artvan...@gmail.com

unread,
May 13, 2014, 1:05:28 AM5/13/14
to pwm-g...@googlegroups.com, artvan...@gmail.com
So I realized that I only needed to enable password expiration in RHDS (it was off) and the problem went away.

However while my initial problem was solved the original question remains: can you delete attributes as part of the change password or user activation modules?

Jason Rivard

unread,
May 13, 2014, 2:15:01 AM5/13/14
to pwm-g...@googlegroups.com, artvan...@gmail.com
Not supported.
Reply all
Reply to author
Forward
0 new messages