Change passwordPolicy objectClass in LDAP

Question

I have the ff LDIF file for adding an attributeType passwordNonRootMayResetUserpwd. The attributeType is already existing.

dn: cn=schema
changetype: modify
delete: objectClasses
objectClasses: ( 1.3.6.1.4.1.42.2.27.9.2.6 NAME 'passwordPolicy'
        SUP top STRUCTURAL MUST cn MAY ( description $ passwordMaxAge
        $ passwordExp $ passwordMinLength $ passwordInHistory
        $ passwordChange $ passwordWarning $ passwordLockout
        $ passwordMaxFailure $ passwordResetDuration
        $ passwordUnlock $ passwordLockoutDuration
        $ passwordCheckSyntax $ passwordMustChange
        $ passwordStorageScheme $ passwordMinAge
        $ passwordResetFailureCount $ passwordExpireWithoutWarning
        $ passwordRootdnMayBypassModsChecks ) )

dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( 1.3.6.1.4.1.42.2.27.9.2.6 NAME 'passwordPolicy'
        SUP top STRUCTURAL MUST cn MAY ( description $ passwordMaxAge
        $ passwordExp $ passwordMinLength $ passwordInHistory
        $ passwordChange $ passwordWarning $ passwordLockout
        $ passwordMaxFailure $ passwordResetDuration
        $ passwordUnlock $ passwordLockoutDuration
        $ passwordCheckSyntax $ passwordMustChange
        $ passwordStorageScheme $ passwordMinAge
        $ passwordResetFailureCount $ passwordExpireWithoutWarning
        $ passwordRootdnMayBypassModsChecks $ passwordNonRootMayResetUserpwd ) )

I'm getting the ff error and I'm stuck.

$ ldapmodify -h host -p 8888 -D "cn=Directory Manager" -f delete_add.ldif
Enter bind password:
modifying entry cn=schema
ldap_modify: DSA is unwilling to perform
ldap_modify: additional info: objectclasses: No target attribute type or object class specified

I do not know what's causing this error since the attributeType exists as well as the objectClass.

Edit: This LDAP service is running on Sun OS 10.

score 1 · Answer 1 · answered Oct 04 '11 at 12:55

1

You do not mention which backend server is offering LDAP services. In general when modifying schema in this fashion, it is best to do the delete and add as one atomic operation.

That is a - after the delete: followed immediately by an add: action.

answered Oct 04 '11 at 12:55

geoffc

2,135
5
25
37

I have edited the post, the server is Sun OS 10. – setzamora Oct 07 '11 at 03:52
I'm getting ldap_modify: additional info: object class passwordPolicy: Cannot delete a standard object class – setzamora Jan 09 '12 at 08:45

setzamora · Accepted Answer · 2012-01-09T10:10:01.567

I got it working by doing the ff sequentially:

Firstly, add the attributeType

dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 1.3.6.1.4.1.42.2.27.9.1.782
 NAME 'passwordNonRootMayResetUserpwd'
 DESC 'Sun ONE defined password policy attribute type'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
 X-DS-USE 'internal'
 X-ORIGIN 'Sun ONE Directory Server' )

Lastly, associate the attributeType to the objectClass

dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( 1.3.6.1.4.1.42.2.27.9.2.6 NAME 'passwordPolicy'
        SUP top STRUCTURAL MUST cn MAY ( description $ passwordMaxAge
        $ passwordExp $ passwordMinLength $ passwordInHistory
        $ passwordChange $ passwordWarning $ passwordLockout
        $ passwordMaxFailure $ passwordResetDuration
        $ passwordUnlock $ passwordLockoutDuration
        $ passwordCheckSyntax $ passwordMustChange
        $ passwordStorageScheme $ passwordMinAge
        $ passwordResetFailureCount $ passwordExpireWithoutWarning
        $ passwordRootdnMayBypassModsChecks $ passwordNonRootMayResetUserpwd ) )

Fire these two on separate LDIF files then invoke ldapmodify

Change passwordPolicy objectClass in LDAP

2 Answers2