FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 05-09-2012, 01:45 PM
Ali Jawad
 
Default Disable Inactive Users After 90 days

HiI have a requirement to disable inactive users after 90 days. I did read*
http://directory.fedoraproject.org/wiki/Account_Policy_Design* but I am not sure whether this is a design*proposal*or the actual*implementation.*



My DS version is :
rpm -qa | grep 389389-admin-console-1.1.8-1.el5389-ds-base-1.2.9.9-1.el5389-dsgw-1.1.7-2.el5389-console-1.1.7-3.el5


389-adminutil-1.1.14-1.el5389-admin-1.1.23-1.el5389-admin-console-doc-1.1.8-1.el5389-ds-1.2.1-1.el5389-ds-base-libs-1.2.9.9-1.el5389-ds-console-1.2.6-1.el5


389-ds-console-doc-1.2.6-1.el5
I got*
[root@386-100-16 dirsrv]# ldapsearch -x -D "cn=Directory manager" -w Password -b "cn=config" -s base lastLoginTime


# extended LDIF## LDAPv3# base <cn=config> with scope baseObject# filter: (objectclass=*)# requesting: lastLoginTime*#



# configdn: cn=config
# search resultsearch: 2result: 0 Success
# numResponses: 2# numEntries: 1
and*



[root@386-100-16 dirsrv]# grep -i lastlogintime /etc/dirsrv/slapd-386-100-16/schema/*/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime holds login state in user entries (GeneralizedTime syntax)


/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime'
I am not sure how to implement this though, please advice.



Regards


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-09-2012, 01:47 PM
Rich Megginson
 
Default Disable Inactive Users After 90 days

On 05/09/2012 07:45 AM, Ali Jawad wrote:

Hi
I have a requirement to disable inactive users after 90
days. I did read*
http://directory.fedoraproject.org/wiki/Account_Policy_Design*
but I am not sure whether this is a design*proposal*or the
actual*implementation.*



My DS version is :




rpm -qa | grep 389
389-admin-console-1.1.8-1.el5
389-ds-base-1.2.9.9-1.el5
389-dsgw-1.1.7-2.el5
389-console-1.1.7-3.el5
389-adminutil-1.1.14-1.el5
389-admin-1.1.23-1.el5
389-admin-console-doc-1.1.8-1.el5
389-ds-1.2.1-1.el5
389-ds-base-libs-1.2.9.9-1.el5
389-ds-console-1.2.6-1.el5
389-ds-console-doc-1.2.6-1.el5





I got*




[root@386-100-16 dirsrv]# ldapsearch -x -D "cn=Directory
manager" -w Password -b "cn=config" -s base lastLoginTime
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope baseObject
# filter: (objectclass=*)
# requesting: lastLoginTime*
#




# config
dn: cn=config



# search result
search: 2
result: 0 Success



# numResponses: 2
# numEntries: 1



and*




[root@386-100-16 dirsrv]# grep -i lastlogintime
/etc/dirsrv/slapd-386-100-16/schema/*
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:##
lastLoginTime holds login state in user entries
(GeneralizedTime syntax)
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes:
( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime'




I am not sure how to implement this though, please
advice.



http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html







Regards









--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-09-2012, 02:17 PM
Ali Jawad
 
Default Disable Inactive Users After 90 days

HiThanks Rich, just what I was searching for, I am facing a problem though "ldapmodify: No such object (32)*matched DN: dc=domain,dc=local"at :


[user@server ~]$ ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com -x

dn: cn=Account Inactivation Policy,dc=example,dc=com

objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy
I am doing*
[root@386-100-16 dirsrv]# ldapmodify -D "cn=directory manager" -w password *-p 389 -h x.x.x.x * -x


dn: cn=Account Inactivation Policy,dc=domain,dc=localobjectClass: topobjectClass: ldapsubentryobjectClass: extensibleObjectobjectClass: accountpolicyaccountInactivityLimit: 2592000

cn: Account Inactivation Policymodifying entry "cn=Account Inactivation Policy,dc=domain,dc=local"
ldapmodify: No such object (32)* * * * matched DN: dc=domain,dc=local


On Wed, May 9, 2012 at 4:47 PM, Rich Megginson <rmeggins@redhat.com> wrote:







On 05/09/2012 07:45 AM, Ali Jawad wrote:

Hi
I have a requirement to disable inactive users after 90
days. I did read*
http://directory.fedoraproject.org/wiki/Account_Policy_Design*
but I am not sure whether this is a design*proposal*or the
actual*implementation.*



My DS version is :




rpm -qa | grep 389
389-admin-console-1.1.8-1.el5
389-ds-base-1.2.9.9-1.el5
389-dsgw-1.1.7-2.el5
389-console-1.1.7-3.el5
389-adminutil-1.1.14-1.el5
389-admin-1.1.23-1.el5
389-admin-console-doc-1.1.8-1.el5
389-ds-1.2.1-1.el5
389-ds-base-libs-1.2.9.9-1.el5
389-ds-console-1.2.6-1.el5
389-ds-console-doc-1.2.6-1.el5





I got*




[root@386-100-16 dirsrv]# ldapsearch -x -D "cn=Directory
manager" -w Password -b "cn=config" -s base lastLoginTime
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope baseObject
# filter: (objectclass=*)
# requesting: lastLoginTime*
#




# config
dn: cn=config



# search result
search: 2
result: 0 Success



# numResponses: 2
# numEntries: 1



and*




[root@386-100-16 dirsrv]# grep -i lastlogintime
/etc/dirsrv/slapd-386-100-16/schema/*
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:##
lastLoginTime holds login state in user entries
(GeneralizedTime syntax)
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes:
( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime'




I am not sure how to implement this though, please
advice.



http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html









Regards









--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users







--
Ali Jawad
Information Systems Manager

Splendor Telecom (www.splendor.net)



Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-09-2012, 02:19 PM
Rich Megginson
 
Default Disable Inactive Users After 90 days

On 05/09/2012 08:17 AM, Ali Jawad wrote:

Hi
Thanks Rich, just what I was searching for, I am facing a
problem though "ldapmodify: No such object (32)*matched DN:
dc=domain,dc=local"at :





[user@server ~]$ ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com -x

dn: cn=Account Inactivation Policy,dc=example,dc=com

objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy




I am doing*




[root@386-100-16 dirsrv]# ldapmodify -D "cn=directory
manager" -w password *-p 389 -h x.x.x.x * -x




dn: cn=Account Inactivation Policy,dc=domain,dc=local
objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy
modifying entry "cn=Account Inactivation
Policy,dc=domain,dc=local"



ldapmodify: No such object (32)
* * * * matched DN: dc=domain,dc=local





Right.* You are missing the ldapmodify -a - see the original
instructions








On Wed, May 9, 2012 at 4:47 PM, Rich
Megginson <rmeggins@redhat.com>
wrote:




On 05/09/2012 07:45 AM, Ali Jawad
wrote:

Hi
I have a requirement to disable inactive
users after 90 days. I did read* http://directory.fedoraproject.org/wiki/Account_Policy_Design*
but I am not sure whether this is a
design*proposal*or the actual*implementation.*



My DS version is :




rpm -qa | grep 389
389-admin-console-1.1.8-1.el5
389-ds-base-1.2.9.9-1.el5
389-dsgw-1.1.7-2.el5
389-console-1.1.7-3.el5
389-adminutil-1.1.14-1.el5
389-admin-1.1.23-1.el5
389-admin-console-doc-1.1.8-1.el5
389-ds-1.2.1-1.el5
389-ds-base-libs-1.2.9.9-1.el5
389-ds-console-1.2.6-1.el5
389-ds-console-doc-1.2.6-1.el5





I got*




[root@386-100-16 dirsrv]# ldapsearch -x
-D "cn=Directory manager" -w Password -b
"cn=config" -s base lastLoginTime
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope
baseObject
# filter: (objectclass=*)
# requesting: lastLoginTime*
#



# config
dn: cn=config



# search result
search: 2
result: 0 Success



# numResponses: 2
# numEntries: 1



and*




[root@386-100-16 dirsrv]# grep -i
lastlogintime
/etc/dirsrv/slapd-386-100-16/schema/*
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:##

lastLoginTime holds login state in user
entries (GeneralizedTime syntax)
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes:

( 2.16.840.1.113719.1.1.4.1.35 NAME
'lastLoginTime'




I am not sure how to implement this
though, please advice.





http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html







Regards










--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users












--

Ali Jawad



Information Systems
Manager
Splendor Telecom (www.splendor.net)

Beirut, Lebanon

Phone: +9611373725/ext 116

FAX: +9611375554











--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-09-2012, 02:26 PM
Ali Jawad
 
Default Disable Inactive Users After 90 days

Hi RichYour help is highly appreciated, I got it working, thanks for your patience.
Regards

On Wed, May 9, 2012 at 5:19 PM, Rich Megginson <rmeggins@redhat.com> wrote:







On 05/09/2012 08:17 AM, Ali Jawad wrote:

Hi
Thanks Rich, just what I was searching for, I am facing a
problem though "ldapmodify: No such object (32)*matched DN:
dc=domain,dc=local"at :






[user@server ~]$ ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com -x

dn: cn=Account Inactivation Policy,dc=example,dc=com

objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy




I am doing*




[root@386-100-16 dirsrv]# ldapmodify -D "cn=directory
manager" -w password *-p 389 -h x.x.x.x * -x




dn: cn=Account Inactivation Policy,dc=domain,dc=local
objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy
modifying entry "cn=Account Inactivation
Policy,dc=domain,dc=local"



ldapmodify: No such object (32)
* * * * matched DN: dc=domain,dc=local





Right.* You are missing the ldapmodify -a - see the original
instructions








On Wed, May 9, 2012 at 4:47 PM, Rich
Megginson <rmeggins@redhat.com>
wrote:




On 05/09/2012 07:45 AM, Ali Jawad
wrote:

Hi
I have a requirement to disable inactive
users after 90 days. I did read* http://directory.fedoraproject.org/wiki/Account_Policy_Design*
but I am not sure whether this is a
design*proposal*or the actual*implementation.*



My DS version is :




rpm -qa | grep 389
389-admin-console-1.1.8-1.el5
389-ds-base-1.2.9.9-1.el5
389-dsgw-1.1.7-2.el5
389-console-1.1.7-3.el5
389-adminutil-1.1.14-1.el5
389-admin-1.1.23-1.el5
389-admin-console-doc-1.1.8-1.el5
389-ds-1.2.1-1.el5
389-ds-base-libs-1.2.9.9-1.el5
389-ds-console-1.2.6-1.el5
389-ds-console-doc-1.2.6-1.el5





I got*




[root@386-100-16 dirsrv]# ldapsearch -x
-D "cn=Directory manager" -w Password -b
"cn=config" -s base lastLoginTime
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope
baseObject
# filter: (objectclass=*)
# requesting: lastLoginTime*
#



# config
dn: cn=config



# search result
search: 2
result: 0 Success



# numResponses: 2
# numEntries: 1



and*




[root@386-100-16 dirsrv]# grep -i
lastlogintime
/etc/dirsrv/slapd-386-100-16/schema/*
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:##

lastLoginTime holds login state in user
entries (GeneralizedTime syntax)
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes:

( 2.16.840.1.113719.1.1.4.1.35 NAME
'lastLoginTime'




I am not sure how to implement this
though, please advice.





http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html









Regards










--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users












--

Ali Jawad



Information Systems
Manager
Splendor Telecom (www.splendor.net)



Beirut, Lebanon

Phone: +9611373725/ext 116

FAX: +9611375554













--
Ali Jawad
Information Systems Manager

Splendor Telecom (www.splendor.net)



Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-09-2012, 04:09 PM
Ali Jawad
 
Default Disable Inactive Users After 90 days

Hi RichSeems I still got a problem, the users can't logon anymore, I did try to*
dn: uid=username,ou=people,dc=domain,dc=localchangetyp e: deletedelete: lastLoginTime


But I keep*getting*
ldapmodify: extra lines at end (line 3 of entry "uid=username,ou=people,dc=domain,dc=local")
I checked for whitespaces, extra lines..but still same issue


I did also check for lastLoginTime values in the users in the interface, but the value is empty..so not sure if this is the problem at all
Regards






On Wed, May 9, 2012 at 5:26 PM, Ali Jawad <ali.jawad@splendor.net> wrote:


Hi RichYour help is highly appreciated, I got it working, thanks for your patience.
Regards



On Wed, May 9, 2012 at 5:19 PM, Rich Megginson <rmeggins@redhat.com> wrote:






On 05/09/2012 08:17 AM, Ali Jawad wrote:

Hi
Thanks Rich, just what I was searching for, I am facing a
problem though "ldapmodify: No such object (32)*matched DN:
dc=domain,dc=local"at :






[user@server ~]$ ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com -x

dn: cn=Account Inactivation Policy,dc=example,dc=com

objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy




I am doing*




[root@386-100-16 dirsrv]# ldapmodify -D "cn=directory
manager" -w password *-p 389 -h x.x.x.x * -x




dn: cn=Account Inactivation Policy,dc=domain,dc=local
objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy
modifying entry "cn=Account Inactivation
Policy,dc=domain,dc=local"



ldapmodify: No such object (32)
* * * * matched DN: dc=domain,dc=local





Right.* You are missing the ldapmodify -a - see the original
instructions








On Wed, May 9, 2012 at 4:47 PM, Rich
Megginson <rmeggins@redhat.com>
wrote:




On 05/09/2012 07:45 AM, Ali Jawad
wrote:

Hi
I have a requirement to disable inactive
users after 90 days. I did read* http://directory.fedoraproject.org/wiki/Account_Policy_Design*
but I am not sure whether this is a
design*proposal*or the actual*implementation.*



My DS version is :




rpm -qa | grep 389
389-admin-console-1.1.8-1.el5
389-ds-base-1.2.9.9-1.el5
389-dsgw-1.1.7-2.el5
389-console-1.1.7-3.el5
389-adminutil-1.1.14-1.el5
389-admin-1.1.23-1.el5
389-admin-console-doc-1.1.8-1.el5
389-ds-1.2.1-1.el5
389-ds-base-libs-1.2.9.9-1.el5
389-ds-console-1.2.6-1.el5
389-ds-console-doc-1.2.6-1.el5





I got*




[root@386-100-16 dirsrv]# ldapsearch -x
-D "cn=Directory manager" -w Password -b
"cn=config" -s base lastLoginTime
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope
baseObject
# filter: (objectclass=*)
# requesting: lastLoginTime*
#



# config
dn: cn=config



# search result
search: 2
result: 0 Success



# numResponses: 2
# numEntries: 1



and*




[root@386-100-16 dirsrv]# grep -i
lastlogintime
/etc/dirsrv/slapd-386-100-16/schema/*
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:##

lastLoginTime holds login state in user
entries (GeneralizedTime syntax)
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes:

( 2.16.840.1.113719.1.1.4.1.35 NAME
'lastLoginTime'




I am not sure how to implement this
though, please advice.





http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html










Regards










--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users












--

Ali Jawad



Information Systems
Manager
Splendor Telecom (www.splendor.net)




Beirut, Lebanon

Phone: +9611373725/ext 116

FAX: +9611375554













--
Ali Jawad
Information Systems Manager


Splendor Telecom (www.splendor.net)




Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554




--
Ali Jawad
Information Systems Manager

Splendor Telecom (www.splendor.net)



Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-09-2012, 04:09 PM
Rich Megginson
 
Default Disable Inactive Users After 90 days

On 05/09/2012 10:09 AM, Ali Jawad wrote:

Hi Rich
Seems I still got a problem, the users can't logon anymore,
I did try to*




dn: uid=username,ou=people,dc=domain,dc=local
changetype: delete
delete: lastLoginTime



But I keep*getting*




ldapmodify: extra lines at end (line 3 of entry
"uid=username,ou=people,dc=domain,dc=local")




I checked for whitespaces, extra lines..but still same
issue



I did also check for lastLoginTime values in the users in
the interface, but the value is empty..so not sure if this
is the problem at all





does ldapmodify -d 1 give any more useful information?









Regards















On Wed, May 9, 2012 at 5:26 PM, Ali
Jawad <ali.jawad@splendor.net>
wrote:


Hi Rich
Your help is highly appreciated, I got it working,
thanks for your patience.

Regards





On Wed, May 9, 2012 at
5:19 PM, Rich Megginson <rmeggins@redhat.com>
wrote:



On 05/09/2012 08:17 AM, Ali Jawad
wrote:

Hi

Thanks Rich, just what I was
searching for, I am facing a problem
though "ldapmodify: No such object
(32)*matched DN:
dc=domain,dc=local"at :





[user@server ~]$ ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com -x

dn: cn=Account Inactivation Policy,dc=example,dc=com

objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy




I am doing*




[root@386-100-16 dirsrv]#
ldapmodify -D "cn=directory
manager" -w password *-p 389 -h
x.x.x.x * -x



dn: cn=Account Inactivation
Policy,dc=domain,dc=local
objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy
modifying entry "cn=Account
Inactivation
Policy,dc=domain,dc=local"



ldapmodify: No such object (32)
* * * * matched DN:
dc=domain,dc=local






Right.* You are missing the ldapmodify -a -
see the original instructions









On Wed,
May 9, 2012 at 4:47 PM, Rich
Megginson <rmeggins@redhat.com>
wrote:




On 05/09/2012 07:45
AM, Ali Jawad wrote:

Hi
I have a
requirement to
disable inactive
users after 90
days. I did read*
http://directory.fedoraproject.org/wiki/Account_Policy_Design*
but I am not sure
whether this is a
design*proposal*or
the
actual*implementation.*



My DS version
is :




rpm -qa |
grep 389
389-admin-console-1.1.8-1.el5
389-ds-base-1.2.9.9-1.el5
389-dsgw-1.1.7-2.el5
389-console-1.1.7-3.el5
389-adminutil-1.1.14-1.el5
389-admin-1.1.23-1.el5
389-admin-console-doc-1.1.8-1.el5
389-ds-1.2.1-1.el5
389-ds-base-libs-1.2.9.9-1.el5
389-ds-console-1.2.6-1.el5
389-ds-console-doc-1.2.6-1.el5





I got*




[root@386-100-16
dirsrv]#
ldapsearch -x -D
"cn=Directory
manager" -w
Password -b
"cn=config" -s
base
lastLoginTime
# extended
LDIF
#
# LDAPv3
# base
<cn=config>
with scope
baseObject
# filter:
(objectclass=*)
# requesting:
lastLoginTime*
#



# config
dn: cn=config



# search
result
search: 2
result: 0
Success



#
numResponses: 2
# numEntries:
1



and*




[root@386-100-16
dirsrv]# grep
-i
lastlogintime
/etc/dirsrv/slapd-386-100-16/schema/*
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:##


lastLoginTime
holds login
state in user
entries
(GeneralizedTime
syntax)
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes:


(
2.16.840.1.113719.1.1.4.1.35
NAME
'lastLoginTime'




I am not sure
how to implement
this though,
please advice.





http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html







Regards










--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users












--

Ali Jawad



Information
Systems Manager
Splendor
Telecom (www.splendor.net)

Beirut, Lebanon

Phone: +9611373725/ext
116

FAX: +9611375554




















--

Ali
Jawad



Information
Systems Manager
Splendor
Telecom (www.splendor.net)

Beirut, Lebanon

Phone: +9611373725/ext 116

FAX: +9611375554
















--

Ali Jawad



Information Systems
Manager
Splendor Telecom (www.splendor.net)

Beirut, Lebanon

Phone: +9611373725/ext 116

FAX: +9611375554











--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-09-2012, 04:13 PM
Jim Finn
 
Default Disable Inactive Users After 90 days

Are you doing this via an ldif file or stdin?
Try*echo -e "dn: uid=username,ou=people,dc=domain,dc=local
changetype: delete
delete: lastLoginTime

" | ldapmodify -x -h yourhost -D"cn=directory manager" -wPaSsWoRd

Jim

On Wed, May 9, 2012 at 11:09 AM, Rich Megginson <rmeggins@redhat.com> wrote:






On 05/09/2012 10:09 AM, Ali Jawad wrote:

Hi Rich
Seems I still got a problem, the users can't logon anymore,
I did try to*




dn: uid=username,ou=people,dc=domain,dc=local
changetype: delete
delete: lastLoginTime



But I keep*getting*




ldapmodify: extra lines at end (line 3 of entry
"uid=username,ou=people,dc=domain,dc=local")




I checked for whitespaces, extra lines..but still same
issue



I did also check for lastLoginTime values in the users in
the interface, but the value is empty..so not sure if this
is the problem at all





does ldapmodify -d 1 give any more useful information?









Regards















On Wed, May 9, 2012 at 5:26 PM, Ali
Jawad <ali.jawad@splendor.net>
wrote:


Hi Rich
Your help is highly appreciated, I got it working,
thanks for your patience.

Regards





On Wed, May 9, 2012 at
5:19 PM, Rich Megginson <rmeggins@redhat.com>
wrote:



On 05/09/2012 08:17 AM, Ali Jawad
wrote:

Hi

Thanks Rich, just what I was
searching for, I am facing a problem
though "ldapmodify: No such object
(32)*matched DN:
dc=domain,dc=local"at :





[user@server ~]$ ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com -x

dn: cn=Account Inactivation Policy,dc=example,dc=com

objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy




I am doing*




[root@386-100-16 dirsrv]#
ldapmodify -D "cn=directory
manager" -w password *-p 389 -h
x.x.x.x * -x



dn: cn=Account Inactivation
Policy,dc=domain,dc=local
objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy
modifying entry "cn=Account
Inactivation
Policy,dc=domain,dc=local"



ldapmodify: No such object (32)
* * * * matched DN:
dc=domain,dc=local






Right.* You are missing the ldapmodify -a -
see the original instructions









On Wed,
May 9, 2012 at 4:47 PM, Rich
Megginson <rmeggins@redhat.com>
wrote:




On 05/09/2012 07:45
AM, Ali Jawad wrote:

Hi
I have a
requirement to
disable inactive
users after 90
days. I did read*
http://directory.fedoraproject.org/wiki/Account_Policy_Design*
but I am not sure
whether this is a
design*proposal*or
the
actual*implementation.*



My DS version
is :




rpm -qa |
grep 389
389-admin-console-1.1.8-1.el5
389-ds-base-1.2.9.9-1.el5
389-dsgw-1.1.7-2.el5
389-console-1.1.7-3.el5
389-adminutil-1.1.14-1.el5
389-admin-1.1.23-1.el5
389-admin-console-doc-1.1.8-1.el5
389-ds-1.2.1-1.el5
389-ds-base-libs-1.2.9.9-1.el5
389-ds-console-1.2.6-1.el5
389-ds-console-doc-1.2.6-1.el5





I got*




[root@386-100-16
dirsrv]#
ldapsearch -x -D
"cn=Directory
manager" -w
Password -b
"cn=config" -s
base
lastLoginTime
# extended
LDIF
#
# LDAPv3
# base
<cn=config>
with scope
baseObject
# filter:
(objectclass=*)
# requesting:
lastLoginTime*
#



# config
dn: cn=config



# search
result
search: 2
result: 0
Success



#
numResponses: 2
# numEntries:
1



and*




[root@386-100-16
dirsrv]# grep
-i
lastlogintime
/etc/dirsrv/slapd-386-100-16/schema/*
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:##


lastLoginTime
holds login
state in user
entries
(GeneralizedTime
syntax)
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes:


(
2.16.840.1.113719.1.1.4.1.35
NAME
'lastLoginTime'




I am not sure
how to implement
this though,
please advice.





http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html








Regards










--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users












--

Ali Jawad



Information
Systems Manager
Splendor
Telecom (www.splendor.net)


Beirut, Lebanon

Phone: +9611373725/ext
116

FAX: +9611375554




















--

Ali
Jawad



Information
Systems Manager
Splendor
Telecom (www.splendor.net)


Beirut, Lebanon

Phone: +9611373725/ext 116

FAX: +9611375554
















--

Ali Jawad



Information Systems
Manager
Splendor Telecom (www.splendor.net)


Beirut, Lebanon

Phone: +9611373725/ext 116

FAX: +9611375554












--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-09-2012, 04:20 PM
Jim Finn
 
Default Disable Inactive Users After 90 days

Actually, I just re-read what you are trying to do...
" Changetype: delete " is intended to delete the entire entry, not an attribute.
You're receiving that error because there should be no further instruction after a " Changetype: delete "

I believe what you are attempting to do is remove the lastLoginTime attribute. *You would accomplish that like this:
dn: uid=username,ou=people,dc=domain,dc=local
changetype: modifydelete: lastLoginTime
Jim


On Wed, May 9, 2012 at 11:13 AM, Jim Finn <jamespfinn@gmail.com> wrote:

Are you doing this via an ldif file or stdin?
Try*echo -e "dn: uid=username,ou=people,dc=domain,dc=local
changetype: delete
delete: lastLoginTime

" | ldapmodify -x -h yourhost -D"cn=directory manager" -wPaSsWoRd


Jim

On Wed, May 9, 2012 at 11:09 AM, Rich Megginson <rmeggins@redhat.com> wrote:







On 05/09/2012 10:09 AM, Ali Jawad wrote:

Hi Rich
Seems I still got a problem, the users can't logon anymore,
I did try to*




dn: uid=username,ou=people,dc=domain,dc=local
changetype: delete
delete: lastLoginTime



But I keep*getting*




ldapmodify: extra lines at end (line 3 of entry
"uid=username,ou=people,dc=domain,dc=local")




I checked for whitespaces, extra lines..but still same
issue



I did also check for lastLoginTime values in the users in
the interface, but the value is empty..so not sure if this
is the problem at all





does ldapmodify -d 1 give any more useful information?









Regards















On Wed, May 9, 2012 at 5:26 PM, Ali
Jawad <ali.jawad@splendor.net>
wrote:


Hi Rich
Your help is highly appreciated, I got it working,
thanks for your patience.

Regards





On Wed, May 9, 2012 at
5:19 PM, Rich Megginson <rmeggins@redhat.com>
wrote:



On 05/09/2012 08:17 AM, Ali Jawad
wrote:

Hi

Thanks Rich, just what I was
searching for, I am facing a problem
though "ldapmodify: No such object
(32)*matched DN:
dc=domain,dc=local"at :





[user@server ~]$ ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com -x

dn: cn=Account Inactivation Policy,dc=example,dc=com

objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy




I am doing*




[root@386-100-16 dirsrv]#
ldapmodify -D "cn=directory
manager" -w password *-p 389 -h
x.x.x.x * -x



dn: cn=Account Inactivation
Policy,dc=domain,dc=local
objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy
modifying entry "cn=Account
Inactivation
Policy,dc=domain,dc=local"



ldapmodify: No such object (32)
* * * * matched DN:
dc=domain,dc=local






Right.* You are missing the ldapmodify -a -
see the original instructions









On Wed,
May 9, 2012 at 4:47 PM, Rich
Megginson <rmeggins@redhat.com>
wrote:




On 05/09/2012 07:45
AM, Ali Jawad wrote:

Hi
I have a
requirement to
disable inactive
users after 90
days. I did read*
http://directory.fedoraproject.org/wiki/Account_Policy_Design*
but I am not sure
whether this is a
design*proposal*or
the
actual*implementation.*



My DS version
is :




rpm -qa |
grep 389
389-admin-console-1.1.8-1.el5
389-ds-base-1.2.9.9-1.el5
389-dsgw-1.1.7-2.el5
389-console-1.1.7-3.el5
389-adminutil-1.1.14-1.el5
389-admin-1.1.23-1.el5
389-admin-console-doc-1.1.8-1.el5
389-ds-1.2.1-1.el5
389-ds-base-libs-1.2.9.9-1.el5
389-ds-console-1.2.6-1.el5
389-ds-console-doc-1.2.6-1.el5





I got*




[root@386-100-16
dirsrv]#
ldapsearch -x -D
"cn=Directory
manager" -w
Password -b
"cn=config" -s
base
lastLoginTime
# extended
LDIF
#
# LDAPv3
# base
<cn=config>
with scope
baseObject
# filter:
(objectclass=*)
# requesting:
lastLoginTime*
#



# config
dn: cn=config



# search
result
search: 2
result: 0
Success



#
numResponses: 2
# numEntries:
1



and*




[root@386-100-16
dirsrv]# grep
-i
lastlogintime
/etc/dirsrv/slapd-386-100-16/schema/*
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:##


lastLoginTime
holds login
state in user
entries
(GeneralizedTime
syntax)
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes:


(
2.16.840.1.113719.1.1.4.1.35
NAME
'lastLoginTime'




I am not sure
how to implement
this though,
please advice.





http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html









Regards










--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users












--

Ali Jawad



Information
Systems Manager
Splendor
Telecom (www.splendor.net)



Beirut, Lebanon

Phone: +9611373725/ext
116

FAX: +9611375554




















--

Ali
Jawad



Information
Systems Manager
Splendor
Telecom (www.splendor.net)



Beirut, Lebanon

Phone: +9611373725/ext 116

FAX: +9611375554
















--

Ali Jawad



Information Systems
Manager
Splendor Telecom (www.splendor.net)



Beirut, Lebanon

Phone: +9611373725/ext 116

FAX: +9611375554












--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users




--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-09-2012, 04:20 PM
Ali Jawad
 
Default Disable Inactive Users After 90 days

Stdin, problem is even new users cant register anymore. Not just existing ones..will tset your suggestionRegards

On Wed, May 9, 2012 at 7:13 PM, Jim Finn <jamespfinn@gmail.com> wrote:


Are you doing this via an ldif file or stdin?
Try*echo -e "dn: uid=username,ou=people,dc=domain,dc=local
changetype: delete
delete: lastLoginTime

" | ldapmodify -x -h yourhost -D"cn=directory manager" -wPaSsWoRd



Jim

On Wed, May 9, 2012 at 11:09 AM, Rich Megginson <rmeggins@redhat.com> wrote:








On 05/09/2012 10:09 AM, Ali Jawad wrote:

Hi Rich
Seems I still got a problem, the users can't logon anymore,
I did try to*




dn: uid=username,ou=people,dc=domain,dc=local
changetype: delete
delete: lastLoginTime



But I keep*getting*




ldapmodify: extra lines at end (line 3 of entry
"uid=username,ou=people,dc=domain,dc=local")




I checked for whitespaces, extra lines..but still same
issue



I did also check for lastLoginTime values in the users in
the interface, but the value is empty..so not sure if this
is the problem at all





does ldapmodify -d 1 give any more useful information?









Regards















On Wed, May 9, 2012 at 5:26 PM, Ali
Jawad <ali.jawad@splendor.net>
wrote:


Hi Rich
Your help is highly appreciated, I got it working,
thanks for your patience.

Regards





On Wed, May 9, 2012 at
5:19 PM, Rich Megginson <rmeggins@redhat.com>
wrote:



On 05/09/2012 08:17 AM, Ali Jawad
wrote:

Hi

Thanks Rich, just what I was
searching for, I am facing a problem
though "ldapmodify: No such object
(32)*matched DN:
dc=domain,dc=local"at :






[user@server ~]$ ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com -x

dn: cn=Account Inactivation Policy,dc=example,dc=com

objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy




I am doing*




[root@386-100-16 dirsrv]#
ldapmodify -D "cn=directory
manager" -w password *-p 389 -h
x.x.x.x * -x



dn: cn=Account Inactivation
Policy,dc=domain,dc=local
objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy
modifying entry "cn=Account
Inactivation
Policy,dc=domain,dc=local"



ldapmodify: No such object (32)
* * * * matched DN:
dc=domain,dc=local






Right.* You are missing the ldapmodify -a -
see the original instructions









On Wed,
May 9, 2012 at 4:47 PM, Rich
Megginson <rmeggins@redhat.com>
wrote:




On 05/09/2012 07:45
AM, Ali Jawad wrote:

Hi
I have a
requirement to
disable inactive
users after 90
days. I did read*
http://directory.fedoraproject.org/wiki/Account_Policy_Design*
but I am not sure
whether this is a
design*proposal*or
the
actual*implementation.*



My DS version
is :




rpm -qa |
grep 389
389-admin-console-1.1.8-1.el5
389-ds-base-1.2.9.9-1.el5
389-dsgw-1.1.7-2.el5
389-console-1.1.7-3.el5
389-adminutil-1.1.14-1.el5
389-admin-1.1.23-1.el5
389-admin-console-doc-1.1.8-1.el5
389-ds-1.2.1-1.el5
389-ds-base-libs-1.2.9.9-1.el5
389-ds-console-1.2.6-1.el5
389-ds-console-doc-1.2.6-1.el5





I got*




[root@386-100-16
dirsrv]#
ldapsearch -x -D
"cn=Directory
manager" -w
Password -b
"cn=config" -s
base
lastLoginTime
# extended
LDIF
#
# LDAPv3
# base
<cn=config>
with scope
baseObject
# filter:
(objectclass=*)
# requesting:
lastLoginTime*
#



# config
dn: cn=config



# search
result
search: 2
result: 0
Success



#
numResponses: 2
# numEntries:
1



and*




[root@386-100-16
dirsrv]# grep
-i
lastlogintime
/etc/dirsrv/slapd-386-100-16/schema/*
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:##


lastLoginTime
holds login
state in user
entries
(GeneralizedTime
syntax)
/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes:


(
2.16.840.1.113719.1.1.4.1.35
NAME
'lastLoginTime'




I am not sure
how to implement
this though,
please advice.





http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html










Regards










--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users












--

Ali Jawad



Information
Systems Manager
Splendor
Telecom (www.splendor.net)




Beirut, Lebanon

Phone: +9611373725/ext
116

FAX: +9611375554




















--

Ali
Jawad



Information
Systems Manager
Splendor
Telecom (www.splendor.net)




Beirut, Lebanon

Phone: +9611373725/ext 116

FAX: +9611375554
















--

Ali Jawad



Information Systems
Manager
Splendor Telecom (www.splendor.net)




Beirut, Lebanon

Phone: +9611373725/ext 116

FAX: +9611375554












--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--


Ali Jawad
Information Systems ManagerSplendor Telecom (www.splendor.net)



Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 12:40 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org