0

I am probably going about this all wrong but there is no "Look stupid, do this..." level documentation out there that I have found.

  • I have Apache DS v2.0.0
  • I have users
  • I want some users (who I add to the cn=unlock_admin,ou=groups,dc=example,dc=com group) to be able to remove the pwdAccountLockedTime operational field:

enter image description here

I have the following prescriptiveAcl in a 

{
    identificationTag "adminPrivileges",
    precedence 0,
    authenticationLevel simple,
    itemOrUserFirst userFirst: 
    {
        userClasses { allUsers },
        userPermissions 
        {
            {
                protectedItems 
                {
                    entry,
                    allUserAttributeTypesAndValues,
                    allAttributeValues { pwdAccountLockedTime } 
                }
                ,
                grantsAndDenials 
                {
                    grantAdd,
                    grantFilterMatch,
                    grantBrowse,
                    grantRemove,
                    grantReturnDN,
                    grantRename,
                    grantCompare,
                    grantRead,
                    grantModify 
                }
            }
        }
    }
}

Seems simple enough but I'm missing something key as anyone who tries this gets the "not modified by user" error.

Attempting to remove the pwdAccountLockedTime field from another user's account results in the following error:

Error while executing LDIF - [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUES java.lang.Exception: [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST Message ID : 18 Modify Request Object : 'uid=lorin,ou=people,dc=example,dc=com' Modification[0] Operation : delete Modification pwdAccountLockedTime: (null)org.apache.directory.api.ldap.model.message.ModifyRequestImpl@b070850: ERR_30 The attributetype ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime' DESC 'The time an user account was locked' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) operational attribute cannot be modified by a user] at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1280) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$600(DirectoryApiConnectionWrapper.java:109) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$4.run(DirectoryApiConnectionWrapper.java:726) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkConnectionAndRunAndMonitor(DirectoryApiConnectionWrapper.java:1109) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.modifyEntry(DirectoryApiConnectionWrapper.java:748) at org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdifRecord(ImportLdifRunnable.java:514) at org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdif(ImportLdifRunnable.java:272) at org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.executeLdif(ExecuteLdifRunnable.java:157) at org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.run(ExecuteLdifRunnable.java:123) at org.apache.directory.studio.ldapbrowser.core.jobs.UpdateEntryRunnable.run(UpdateEntryRunnable.java:59) at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:112) at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:122)

[LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST Message ID : 18 Modify Request Object : 'uid=lorin,ou=people,dc=example,dc=com' Modification[0] Operation : delete Modification pwdAccountLockedTime: (null)org.apache.directory.api.ldap.model.message.ModifyRequestImpl@b070850: ERR_30 The attributetype ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime' DESC 'The time an user account was locked' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) operational attribute cannot be modified by a user]

I would prefer they only be able to have admin passwords on this ou and not the entire system (e.g. making a system admin)

???

Using STS with Apache LDAP Plugin: enter image description here

Lorin S.
  • 95
  • 2
  • 10
  • Yes, using Apache Directory Studio to manage users. – Lorin S. Jul 13 '15 at 17:46
  • The `pwdAccountLockedTime` is not included in `apacheds-2.0.0_M20`. Please update the question how you added this feature to ApacheDS, – 030 Jul 13 '15 at 21:12

0 Answers0