Topic
  • 10 replies
  • Latest Post - ‏2013-10-31T08:31:48Z by Mcdz
Mcdz
Mcdz
35 Posts

Pinned topic (TDS) how to lock user

‏2013-10-30T05:05:10Z |

I want to lock a user by using pwdAccountLockedTime attribute but when i try to modify attribute it away said object violation error

i had follow this page but nothing happen

https://www-304.ibm.com/ support/docview.wss?uid= swg21459410

 

i using TDI 7.1.1 to modify TDS 

  • franzw
    franzw
    339 Posts
    ACCEPTED ANSWER

    Re: (TDS) how to lock user

    ‏2013-10-30T08:55:17Z  
    • Mcdz
    • ‏2013-10-30T08:28:12Z

    i do try using web administration tool but getting the same error (i had use GeneralizedTime format for example 20131030150000Z)

    i added pwdAccountLockedTime into inetorgperson objectclass by myself to test this because pwdAccountLockedTime attribute owned by

    ibm-slapdPwdPolicyAdmininetOrgPerson objectclass.

    i had check on web administration tool pwdAccountLockedTime require Generalized Time syntax 

    how to check if it containing other attribute?

    nothing recorded on ibmslapd.log 

    Oct 30 12:03:24 2013 GLPSRV041I Server starting.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libldaprepl.dll.
    Oct 30 12:03:25 2013 GLPSRV155I The DIGEST-MD5 SASL Bind mechanism is enabled in the configuration file.
    Oct 30 12:03:25 2013 GLPCOM021I The preoperation plugin is successfully loaded from libDigest.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.dll.
    Oct 30 12:03:25 2013 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM025I The audit plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libldapaudit.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
    Oct 30 12:03:25 2013 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM022I The database plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libback-config.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.dll.
    Oct 30 12:03:25 2013 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM022I The database plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libback-rdbm.dll.
    Oct 30 12:03:25 2013 GLPCOM010I Replication plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libldaprepl.dll.
    Oct 30 12:03:25 2013 GLPSRV189I Virtual list view support is enabled.
    Oct 30 12:03:25 2013 GLPCOM021I The preoperation plugin is successfully loaded from libpta.dll.
    Oct 30 12:03:25 2013 GLPSRV194I The Record Deleted Entries feature is disabled. Deleted entries are immediately removed from the database.
    Oct 30 12:03:25 2013 GLPSRV207I Group conflict resolution during replication is disabled.
    Oct 30 12:03:25 2013 GLPSRV200I Initializing primary database and its connections.
    Oct 30 12:03:29 2013 GLPRDB126I The directory server will not use DB2 selectivity.
    Oct 30 12:03:30 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libloga.dll.
    Oct 30 12:03:30 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libidsfget.dll.
    Oct 30 12:03:30 2013 GLPSRV180I Pass-through authentication is disabled.
    Oct 30 12:03:30 2013 GLPCOM003I Non-SSL port initialized to 389.
    Oct 30 12:03:33 2013 GLPRPL137I Restricted Access to the replication topology is set to false.
    Oct 30 12:03:34 2013 GLPSRV009I 6.3.0.0 server started.
    Oct 30 12:03:34 2013 GLPRPL136I Replication conflict resolution mode is set to true.
    Oct 30 12:03:34 2013 GLPSRV048I Started 15 worker threads to handle client requests.
    Oct 30 12:03:34 2013 GLPSRV049I Started 10 handler threads to service established client connections.
    Oct 30 12:03:35 2013 GLPSRV212I The LDAP trace utility 'ldtrc' is disabled.
    Oct 30 12:03:35 2013 GLPSRV214I The LDAP Server is not recording binary trace.
    Oct 30 12:03:35 2013 GLPSRV216I The LDAP Server is not recording ascii trace.
    Oct 30 14:01:51 2013 GLPSRV202I During the last hour 0 updates were received from suppliers and 6 updates were received from other clients.
    Oct 30 14:01:51 2013 GLPSRV212I The LDAP trace utility 'ldtrc' is disabled.
    Oct 30 14:01:51 2013 GLPSRV214I The LDAP Server is not recording binary trace.
    Oct 30 14:01:51 2013 GLPSRV216I The LDAP Server is not recording ascii trace.
    Oct 30 15:02:42 2013 GLPSRV202I During the last hour 0 updates were received from suppliers and 18 updates were received from other clients.
    Oct 30 15:02:42 2013 GLPSRV212I The LDAP trace utility 'ldtrc' is disabled.
    Oct 30 15:02:42 2013 GLPSRV214I The LDAP Server is not recording binary trace.
    Oct 30 15:02:42 2013 GLPSRV216I The LDAP Server is not recording ascii trace.
     

     

    You should defintely not add them to your schema - the password attributes are "operational attributes" - i.e. they are hidden from the normal user but are always available if the context is right - e.g. you have password policies enabled IIRC in this specific case.

    See here : http://www-01.ibm.com/support/docview.wss?uid=swg21179419

    You may want to study the password policies a little more before continuing - take a look here : http://www.ibm.com/developerworks/tivoli/library/t-tdspp-ect/ and in the formal doc : https://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.IBMDS.doc%2Fadmin_gd191.htm

    For the general operational attribute concept I can recommend zytrax.com with their excellent ldap guide : http://www.zytrax.com/books/ldap/ch3/

    HTH

    Regards

    Franz Wolfhagen

  • franzw
    franzw
    339 Posts
    ACCEPTED ANSWER

    Re: (TDS) how to lock user

    ‏2013-10-30T11:11:20Z  
    • Mcdz
    • ‏2013-10-30T10:38:59Z

    thank you i got a lot from you franzw. it's say pwdAccountLockedTime attribute will not appear if account is not locked

    but when i locked the account it still not work or it just only for admin group?

    you will have to explicitly ask for the attribute to be shown in your ldapsearch eg. :

    ldapsearch - b <base> -D cn=root -w <password> uid=<userid> pwdAccountLockedTime

    or

    ldapsearch - b <base> -D cn=root -w <password> uid=<userid> ++

    The "++" gives you ALL operational atributes.

    In TDI if you want the operational attributes returned you must list them on the "Return Attribute" on the "Advanced" part of the Connection setup.

    HTH

    Regards

    Franz Wolfhagen

  • franzw
    franzw
    339 Posts

    Re: (TDS) how to lock user

    ‏2013-10-30T07:18:25Z  

    What is your error - without that I am totally lost - my mind reading is not that good :-)

    I think it is time to to mention : http://www.catb.org/esr/faqs/smart-questions.html again...

    As the APAR/Technote is the result of one of my PMRs IIRC I understand your problem very well - but without the error message and your hook script it is very difficult to give you any advice....

    Regards

    Franz Wolfhagen

  • Mcdz
    Mcdz
    35 Posts

    Re: (TDS) how to lock user

    ‏2013-10-30T07:26:32Z  
    • franzw
    • ‏2013-10-30T07:18:25Z

    What is your error - without that I am totally lost - my mind reading is not that good :-)

    I think it is time to to mention : http://www.catb.org/esr/faqs/smart-questions.html again...

    As the APAR/Technote is the result of one of my PMRs IIRC I understand your problem very well - but without the error message and your hook script it is very difficult to give you any advice....

    Regards

    Franz Wolfhagen

    LOL , sorry i will be more careful about my question . i get this error

    CTGDIS077I Failed with error: [LDAP: error code 65 - Object Class Violation].

    When i tried to update attribute value "TRUE" to pwdAccountLockedTime attribute

    Hook Script

    before initialize

    thisConnector.connector.setServerAdminControl(true);

     

    TDI error log

    [LDAP_DisOrEn] CTGDIS004I *** Finished dumping Entry

    14:30:23,208 INFO  - [LDAP_DisOrEn] CTGDJQ028I No distinguished name ($dn attribute ) was given. The existing distinguished name will be used to modify the entry.
    14:30:23,208 INFO  - [LDAP_DisOrEn] CTGDJQ039I Dumping LDAP Connector Modification List...
    14:30:23,208 INFO  - [LDAP_DisOrEn] CTGDJQ040I Modification item: Operation is replace attribute: pwdAccountLockedTime: true.
    14:30:23,208 INFO  - [LDAP_DisOrEn] CTGDJQ041I Finished dumping LDAP Connector Modification List.
    14:30:23,224 INFO  - [LDAP_DisOrEn] CTGDIS495I handleException , update, javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; Remaining name: 'cn=muan fan,cn=user, cn=container, o=acme, CN=LOCALHOST'
    14:30:23,224 ERROR - [LDAP_DisOrEn] CTGDIS810E handleException - cannot handle exception , update 
    javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; Remaining name: 'cn=muan fan,cn=user, cn=container, o=acme, CN=LOCALHOST'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3110)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3025)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2832)
    at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1470)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:267)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:184)
    at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:178)
    at com.ibm.di.connector.LDAPConnector.modEntry(LDAPConnector.java:1025)
    at com.ibm.di.server.AssemblyLineComponent.executeOperation(AssemblyLineComponent.java:3330)
    at com.ibm.di.server.AssemblyLineComponent.modify(AssemblyLineComponent.java:1883)
    at com.ibm.di.server.AssemblyLineComponent.update(AssemblyLineComponent.java:1733)
    at com.ibm.di.server.AssemblyLine.msExecuteNextConnector(AssemblyLine.java:3737)
    at com.ibm.di.server.AssemblyLine.executeMainStep(AssemblyLine.java:3351)
    at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:2960)
    at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:2943)
    at com.ibm.di.server.AssemblyLine.executeAL(AssemblyLine.java:2912)
    at com.ibm.di.server.AssemblyLine.run(AssemblyLine.java:1311)
    14:30:23,224 ERROR - CTGDIS266E Error in NextConnectorOperation. Exception occurred: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; Remaining name: 'cn=muan fan,cn=user, cn=container, o=acme, CN=LOCALHOST' 
    javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; Remaining name: 'cn=muan fan,cn=user, cn=container, o=acme, CN=LOCALHOST'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3110)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3025)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2832)
    at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1470)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:267)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:184)
    at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:178)
    at com.ibm.di.connector.LDAPConnector.modEntry(LDAPConnector.java:1025)
    at com.ibm.di.server.AssemblyLineComponent.executeOperation(AssemblyLineComponent.java:3330)
    at com.ibm.di.server.AssemblyLineComponent.modify(AssemblyLineComponent.java:1883)
    at com.ibm.di.server.AssemblyLineComponent.update(AssemblyLineComponent.java:1733)
    at com.ibm.di.server.AssemblyLine.msExecuteNextConnector(AssemblyLine.java:3737)
    at com.ibm.di.server.AssemblyLine.executeMainStep(AssemblyLine.java:3351)
    at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:2960)
    at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:2943)
    at com.ibm.di.server.AssemblyLine.executeAL(AssemblyLine.java:2912)
    at com.ibm.di.server.AssemblyLine.run(AssemblyLine.java:1311)
    Updated on 2013-10-30T07:35:35Z at 2013-10-30T07:35:35Z by Mcdz
  • franzw
    franzw
    339 Posts

    Re: (TDS) how to lock user

    ‏2013-10-30T07:40:03Z  
    • Mcdz
    • ‏2013-10-30T07:26:32Z

    LOL , sorry i will be more careful about my question . i get this error

    CTGDIS077I Failed with error: [LDAP: error code 65 - Object Class Violation].

    When i tried to update attribute value "TRUE" to pwdAccountLockedTime attribute

    Hook Script

    before initialize

    thisConnector.connector.setServerAdminControl(true);

     

    TDI error log

    [LDAP_DisOrEn] CTGDIS004I *** Finished dumping Entry

    14:30:23,208 INFO  - [LDAP_DisOrEn] CTGDJQ028I No distinguished name ($dn attribute ) was given. The existing distinguished name will be used to modify the entry.
    14:30:23,208 INFO  - [LDAP_DisOrEn] CTGDJQ039I Dumping LDAP Connector Modification List...
    14:30:23,208 INFO  - [LDAP_DisOrEn] CTGDJQ040I Modification item: Operation is replace attribute: pwdAccountLockedTime: true.
    14:30:23,208 INFO  - [LDAP_DisOrEn] CTGDJQ041I Finished dumping LDAP Connector Modification List.
    14:30:23,224 INFO  - [LDAP_DisOrEn] CTGDIS495I handleException , update, javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; Remaining name: 'cn=muan fan,cn=user, cn=container, o=acme, CN=LOCALHOST'
    14:30:23,224 ERROR - [LDAP_DisOrEn] CTGDIS810E handleException - cannot handle exception , update 
    javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; Remaining name: 'cn=muan fan,cn=user, cn=container, o=acme, CN=LOCALHOST'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3110)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3025)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2832)
    at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1470)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:267)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:184)
    at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:178)
    at com.ibm.di.connector.LDAPConnector.modEntry(LDAPConnector.java:1025)
    at com.ibm.di.server.AssemblyLineComponent.executeOperation(AssemblyLineComponent.java:3330)
    at com.ibm.di.server.AssemblyLineComponent.modify(AssemblyLineComponent.java:1883)
    at com.ibm.di.server.AssemblyLineComponent.update(AssemblyLineComponent.java:1733)
    at com.ibm.di.server.AssemblyLine.msExecuteNextConnector(AssemblyLine.java:3737)
    at com.ibm.di.server.AssemblyLine.executeMainStep(AssemblyLine.java:3351)
    at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:2960)
    at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:2943)
    at com.ibm.di.server.AssemblyLine.executeAL(AssemblyLine.java:2912)
    at com.ibm.di.server.AssemblyLine.run(AssemblyLine.java:1311)
    14:30:23,224 ERROR - CTGDIS266E Error in NextConnectorOperation. Exception occurred: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; Remaining name: 'cn=muan fan,cn=user, cn=container, o=acme, CN=LOCALHOST' 
    javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; Remaining name: 'cn=muan fan,cn=user, cn=container, o=acme, CN=LOCALHOST'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3110)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3025)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2832)
    at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1470)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:267)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:184)
    at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:178)
    at com.ibm.di.connector.LDAPConnector.modEntry(LDAPConnector.java:1025)
    at com.ibm.di.server.AssemblyLineComponent.executeOperation(AssemblyLineComponent.java:3330)
    at com.ibm.di.server.AssemblyLineComponent.modify(AssemblyLineComponent.java:1883)
    at com.ibm.di.server.AssemblyLineComponent.update(AssemblyLineComponent.java:1733)
    at com.ibm.di.server.AssemblyLine.msExecuteNextConnector(AssemblyLine.java:3737)
    at com.ibm.di.server.AssemblyLine.executeMainStep(AssemblyLine.java:3351)
    at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:2960)
    at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:2943)
    at com.ibm.di.server.AssemblyLine.executeAL(AssemblyLine.java:2912)
    at com.ibm.di.server.AssemblyLine.run(AssemblyLine.java:1311)

    Well - the ldap server is trying to tell you that something is violating the ldap schema...

    I assume that your ldap server is a TDS - have you been able to make this change using e.g. Web Administration Tool ?

    The ibmslapd.log may tell you a little more - what does that report ?

    The reason here may also be that your output map is containing other attributes that the pwdAccountLockedTime - is that the case you have to correct that. If not - is the value of pwdAccountLockedTime in GeneralizedTime format as required by the ldap server ?

    HTH

    Regards

    Franz Wolfhagen

    Updated on 2013-10-30T07:43:53Z at 2013-10-30T07:43:53Z by franzw
  • Mcdz
    Mcdz
    35 Posts

    Re: (TDS) how to lock user

    ‏2013-10-30T08:28:12Z  
    • franzw
    • ‏2013-10-30T07:40:03Z

    Well - the ldap server is trying to tell you that something is violating the ldap schema...

    I assume that your ldap server is a TDS - have you been able to make this change using e.g. Web Administration Tool ?

    The ibmslapd.log may tell you a little more - what does that report ?

    The reason here may also be that your output map is containing other attributes that the pwdAccountLockedTime - is that the case you have to correct that. If not - is the value of pwdAccountLockedTime in GeneralizedTime format as required by the ldap server ?

    HTH

    Regards

    Franz Wolfhagen

    i do try using web administration tool but getting the same error (i had use GeneralizedTime format for example 20131030150000Z)

    i added pwdAccountLockedTime into inetorgperson objectclass by myself to test this because pwdAccountLockedTime attribute owned by

    ibm-slapdPwdPolicyAdmininetOrgPerson objectclass.

    i had check on web administration tool pwdAccountLockedTime require Generalized Time syntax 

    how to check if it containing other attribute?

    nothing recorded on ibmslapd.log 

    Oct 30 12:03:24 2013 GLPSRV041I Server starting.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libldaprepl.dll.
    Oct 30 12:03:25 2013 GLPSRV155I The DIGEST-MD5 SASL Bind mechanism is enabled in the configuration file.
    Oct 30 12:03:25 2013 GLPCOM021I The preoperation plugin is successfully loaded from libDigest.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.dll.
    Oct 30 12:03:25 2013 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM025I The audit plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libldapaudit.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
    Oct 30 12:03:25 2013 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM022I The database plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libback-config.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.dll.
    Oct 30 12:03:25 2013 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM022I The database plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libback-rdbm.dll.
    Oct 30 12:03:25 2013 GLPCOM010I Replication plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libldaprepl.dll.
    Oct 30 12:03:25 2013 GLPSRV189I Virtual list view support is enabled.
    Oct 30 12:03:25 2013 GLPCOM021I The preoperation plugin is successfully loaded from libpta.dll.
    Oct 30 12:03:25 2013 GLPSRV194I The Record Deleted Entries feature is disabled. Deleted entries are immediately removed from the database.
    Oct 30 12:03:25 2013 GLPSRV207I Group conflict resolution during replication is disabled.
    Oct 30 12:03:25 2013 GLPSRV200I Initializing primary database and its connections.
    Oct 30 12:03:29 2013 GLPRDB126I The directory server will not use DB2 selectivity.
    Oct 30 12:03:30 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libloga.dll.
    Oct 30 12:03:30 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libidsfget.dll.
    Oct 30 12:03:30 2013 GLPSRV180I Pass-through authentication is disabled.
    Oct 30 12:03:30 2013 GLPCOM003I Non-SSL port initialized to 389.
    Oct 30 12:03:33 2013 GLPRPL137I Restricted Access to the replication topology is set to false.
    Oct 30 12:03:34 2013 GLPSRV009I 6.3.0.0 server started.
    Oct 30 12:03:34 2013 GLPRPL136I Replication conflict resolution mode is set to true.
    Oct 30 12:03:34 2013 GLPSRV048I Started 15 worker threads to handle client requests.
    Oct 30 12:03:34 2013 GLPSRV049I Started 10 handler threads to service established client connections.
    Oct 30 12:03:35 2013 GLPSRV212I The LDAP trace utility 'ldtrc' is disabled.
    Oct 30 12:03:35 2013 GLPSRV214I The LDAP Server is not recording binary trace.
    Oct 30 12:03:35 2013 GLPSRV216I The LDAP Server is not recording ascii trace.
    Oct 30 14:01:51 2013 GLPSRV202I During the last hour 0 updates were received from suppliers and 6 updates were received from other clients.
    Oct 30 14:01:51 2013 GLPSRV212I The LDAP trace utility 'ldtrc' is disabled.
    Oct 30 14:01:51 2013 GLPSRV214I The LDAP Server is not recording binary trace.
    Oct 30 14:01:51 2013 GLPSRV216I The LDAP Server is not recording ascii trace.
    Oct 30 15:02:42 2013 GLPSRV202I During the last hour 0 updates were received from suppliers and 18 updates were received from other clients.
    Oct 30 15:02:42 2013 GLPSRV212I The LDAP trace utility 'ldtrc' is disabled.
    Oct 30 15:02:42 2013 GLPSRV214I The LDAP Server is not recording binary trace.
    Oct 30 15:02:42 2013 GLPSRV216I The LDAP Server is not recording ascii trace.
     

     

  • franzw
    franzw
    339 Posts

    Re: (TDS) how to lock user

    ‏2013-10-30T08:55:17Z  
    • Mcdz
    • ‏2013-10-30T08:28:12Z

    i do try using web administration tool but getting the same error (i had use GeneralizedTime format for example 20131030150000Z)

    i added pwdAccountLockedTime into inetorgperson objectclass by myself to test this because pwdAccountLockedTime attribute owned by

    ibm-slapdPwdPolicyAdmininetOrgPerson objectclass.

    i had check on web administration tool pwdAccountLockedTime require Generalized Time syntax 

    how to check if it containing other attribute?

    nothing recorded on ibmslapd.log 

    Oct 30 12:03:24 2013 GLPSRV041I Server starting.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libldaprepl.dll.
    Oct 30 12:03:25 2013 GLPSRV155I The DIGEST-MD5 SASL Bind mechanism is enabled in the configuration file.
    Oct 30 12:03:25 2013 GLPCOM021I The preoperation plugin is successfully loaded from libDigest.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.dll.
    Oct 30 12:03:25 2013 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM025I The audit plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libldapaudit.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
    Oct 30 12:03:25 2013 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM022I The database plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libback-config.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.dll.
    Oct 30 12:03:25 2013 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.dll.
    Oct 30 12:03:25 2013 GLPCOM022I The database plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libback-rdbm.dll.
    Oct 30 12:03:25 2013 GLPCOM010I Replication plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libldaprepl.dll.
    Oct 30 12:03:25 2013 GLPSRV189I Virtual list view support is enabled.
    Oct 30 12:03:25 2013 GLPCOM021I The preoperation plugin is successfully loaded from libpta.dll.
    Oct 30 12:03:25 2013 GLPSRV194I The Record Deleted Entries feature is disabled. Deleted entries are immediately removed from the database.
    Oct 30 12:03:25 2013 GLPSRV207I Group conflict resolution during replication is disabled.
    Oct 30 12:03:25 2013 GLPSRV200I Initializing primary database and its connections.
    Oct 30 12:03:29 2013 GLPRDB126I The directory server will not use DB2 selectivity.
    Oct 30 12:03:30 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libloga.dll.
    Oct 30 12:03:30 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libidsfget.dll.
    Oct 30 12:03:30 2013 GLPSRV180I Pass-through authentication is disabled.
    Oct 30 12:03:30 2013 GLPCOM003I Non-SSL port initialized to 389.
    Oct 30 12:03:33 2013 GLPRPL137I Restricted Access to the replication topology is set to false.
    Oct 30 12:03:34 2013 GLPSRV009I 6.3.0.0 server started.
    Oct 30 12:03:34 2013 GLPRPL136I Replication conflict resolution mode is set to true.
    Oct 30 12:03:34 2013 GLPSRV048I Started 15 worker threads to handle client requests.
    Oct 30 12:03:34 2013 GLPSRV049I Started 10 handler threads to service established client connections.
    Oct 30 12:03:35 2013 GLPSRV212I The LDAP trace utility 'ldtrc' is disabled.
    Oct 30 12:03:35 2013 GLPSRV214I The LDAP Server is not recording binary trace.
    Oct 30 12:03:35 2013 GLPSRV216I The LDAP Server is not recording ascii trace.
    Oct 30 14:01:51 2013 GLPSRV202I During the last hour 0 updates were received from suppliers and 6 updates were received from other clients.
    Oct 30 14:01:51 2013 GLPSRV212I The LDAP trace utility 'ldtrc' is disabled.
    Oct 30 14:01:51 2013 GLPSRV214I The LDAP Server is not recording binary trace.
    Oct 30 14:01:51 2013 GLPSRV216I The LDAP Server is not recording ascii trace.
    Oct 30 15:02:42 2013 GLPSRV202I During the last hour 0 updates were received from suppliers and 18 updates were received from other clients.
    Oct 30 15:02:42 2013 GLPSRV212I The LDAP trace utility 'ldtrc' is disabled.
    Oct 30 15:02:42 2013 GLPSRV214I The LDAP Server is not recording binary trace.
    Oct 30 15:02:42 2013 GLPSRV216I The LDAP Server is not recording ascii trace.
     

     

    You should defintely not add them to your schema - the password attributes are "operational attributes" - i.e. they are hidden from the normal user but are always available if the context is right - e.g. you have password policies enabled IIRC in this specific case.

    See here : http://www-01.ibm.com/support/docview.wss?uid=swg21179419

    You may want to study the password policies a little more before continuing - take a look here : http://www.ibm.com/developerworks/tivoli/library/t-tdspp-ect/ and in the formal doc : https://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.IBMDS.doc%2Fadmin_gd191.htm

    For the general operational attribute concept I can recommend zytrax.com with their excellent ldap guide : http://www.zytrax.com/books/ldap/ch3/

    HTH

    Regards

    Franz Wolfhagen

  • Mcdz
    Mcdz
    35 Posts

    Re: (TDS) how to lock user

    ‏2013-10-30T10:38:59Z  
    • franzw
    • ‏2013-10-30T08:55:17Z

    You should defintely not add them to your schema - the password attributes are "operational attributes" - i.e. they are hidden from the normal user but are always available if the context is right - e.g. you have password policies enabled IIRC in this specific case.

    See here : http://www-01.ibm.com/support/docview.wss?uid=swg21179419

    You may want to study the password policies a little more before continuing - take a look here : http://www.ibm.com/developerworks/tivoli/library/t-tdspp-ect/ and in the formal doc : https://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.IBMDS.doc%2Fadmin_gd191.htm

    For the general operational attribute concept I can recommend zytrax.com with their excellent ldap guide : http://www.zytrax.com/books/ldap/ch3/

    HTH

    Regards

    Franz Wolfhagen

    thank you i got a lot from you franzw. it's say pwdAccountLockedTime attribute will not appear if account is not locked

    but when i locked the account it still not work or it just only for admin group?

  • franzw
    franzw
    339 Posts

    Re: (TDS) how to lock user

    ‏2013-10-30T11:11:20Z  
    • Mcdz
    • ‏2013-10-30T10:38:59Z

    thank you i got a lot from you franzw. it's say pwdAccountLockedTime attribute will not appear if account is not locked

    but when i locked the account it still not work or it just only for admin group?

    you will have to explicitly ask for the attribute to be shown in your ldapsearch eg. :

    ldapsearch - b <base> -D cn=root -w <password> uid=<userid> pwdAccountLockedTime

    or

    ldapsearch - b <base> -D cn=root -w <password> uid=<userid> ++

    The "++" gives you ALL operational atributes.

    In TDI if you want the operational attributes returned you must list them on the "Return Attribute" on the "Advanced" part of the Connection setup.

    HTH

    Regards

    Franz Wolfhagen

  • Mcdz
    Mcdz
    35 Posts

    Re: (TDS) how to lock user

    ‏2013-10-31T02:37:13Z  
    • franzw
    • ‏2013-10-30T11:11:20Z

    you will have to explicitly ask for the attribute to be shown in your ldapsearch eg. :

    ldapsearch - b <base> -D cn=root -w <password> uid=<userid> pwdAccountLockedTime

    or

    ldapsearch - b <base> -D cn=root -w <password> uid=<userid> ++

    The "++" gives you ALL operational atributes.

    In TDI if you want the operational attributes returned you must list them on the "Return Attribute" on the "Advanced" part of the Connection setup.

    HTH

    Regards

    Franz Wolfhagen

    Thank you for you advise i had learn a lot from you

    i'm missunderstand pwdaccountlockedtime is not use to lock account but it's date of when account get lock right?

    the attribute use to lock an account is ibm-pwdaccountlocked. and i did not check set operation attribute checkbox so i guess it's not operation attribute. it will getting error if i check set operation attribute checkbox.

    how to modify javascript to return an operation attribute? i never use this function before sorry i have no idea about this 

    {work.pwdaccountlockedtime}
    {conn.pwdaccountlockedtime}
    {config.<param>}
    {config.$directory}
     

    this is error log when i try to check set operation attribute check box

    CTGDIS077I Failed with error: OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]

    NextConnectorOperation. Exception occurred: javax.naming.OperationNotSupportedException:

     

    Updated on 2013-10-31T05:02:20Z at 2013-10-31T05:02:20Z by Mcdz
  • franzw
    franzw
    339 Posts

    Re: (TDS) how to lock user

    ‏2013-10-31T07:28:51Z  
    • Mcdz
    • ‏2013-10-31T02:37:13Z

    Thank you for you advise i had learn a lot from you

    i'm missunderstand pwdaccountlockedtime is not use to lock account but it's date of when account get lock right?

    the attribute use to lock an account is ibm-pwdaccountlocked. and i did not check set operation attribute checkbox so i guess it's not operation attribute. it will getting error if i check set operation attribute checkbox.

    how to modify javascript to return an operation attribute? i never use this function before sorry i have no idea about this 

    {work.pwdaccountlockedtime}
    {conn.pwdaccountlockedtime}
    {config.<param>}
    {config.$directory}
     

    this is error log when i try to check set operation attribute check box

    CTGDIS077I Failed with error: OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]

    NextConnectorOperation. Exception occurred: javax.naming.OperationNotSupportedException:

     

    The pwdaccountlockedtime is the timestamp in generalized time (aka zulu time) of the point in time the locking is performed.

    When working with operational attribute you may end up in this "missing critical extension" - so either you have to ensure that your running with administrative control - and in some cases add the extension yourself.

    Now - working with that level is not for the fainthearted. I have not worked with setting the pwdaccountlockedtime - but it should be governed internally in TDS with a specific control - and that control must be set to critical.

    This is example is for the persistent search control - and requires that you add the TDS IBMLDAPJavaBer.jar and TDSJNDIToolkit.jar to be included in your TDI classpath :

    // PersistentSearchControl example - before initia
    control = new com.ibm.ldap.bp.ctl.PersistentSearchControl(com.ibm.ldap.bp.ctl.PersistentSearchControl.ANY,false, false);
    control.setCriticality(true);
    controlArray = java.lang.reflect.Array.newInstance(control.getClass(), 1);
    controlArray[0] = control;
    thisConnector.connector.getLdapContext().setRequestControls(controlArray);

    I do not want to go into details about using reflection API and that kind of stuff - as I said this is NOT trivial stuff - and I do not have the time right now to dive into the details for this.

    You should be able to find the controls here : http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDS.doc/progref484.htm?path=8_9_5_1#wq528 in general the programming reference is what you need to consult for this level of TDS manipulating.

    HTH

    Regards

    Franz Wolfhagen

  • Mcdz
    Mcdz
    35 Posts

    Re: (TDS) how to lock user

    ‏2013-10-31T08:31:48Z  
    • franzw
    • ‏2013-10-31T07:28:51Z

    The pwdaccountlockedtime is the timestamp in generalized time (aka zulu time) of the point in time the locking is performed.

    When working with operational attribute you may end up in this "missing critical extension" - so either you have to ensure that your running with administrative control - and in some cases add the extension yourself.

    Now - working with that level is not for the fainthearted. I have not worked with setting the pwdaccountlockedtime - but it should be governed internally in TDS with a specific control - and that control must be set to critical.

    This is example is for the persistent search control - and requires that you add the TDS IBMLDAPJavaBer.jar and TDSJNDIToolkit.jar to be included in your TDI classpath :

    // PersistentSearchControl example - before initia
    control = new com.ibm.ldap.bp.ctl.PersistentSearchControl(com.ibm.ldap.bp.ctl.PersistentSearchControl.ANY,false, false);
    control.setCriticality(true);
    controlArray = java.lang.reflect.Array.newInstance(control.getClass(), 1);
    controlArray[0] = control;
    thisConnector.connector.getLdapContext().setRequestControls(controlArray);

    I do not want to go into details about using reflection API and that kind of stuff - as I said this is NOT trivial stuff - and I do not have the time right now to dive into the details for this.

    You should be able to find the controls here : http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDS.doc/progref484.htm?path=8_9_5_1#wq528 in general the programming reference is what you need to consult for this level of TDS manipulating.

    HTH

    Regards

    Franz Wolfhagen

    Thank you franz at least i got what i need already now . i can lookup for locked account .

    i'll not set it. i'll just get the value from pwdaccountlockedtime value.

    I  don't know it will get this far. i'm so sorry