Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
10 replies Latest Post - ‏2013-10-31T08:31:48Z by Mcdz
Mcdz
Mcdz
35 Posts
ACCEPTED ANSWER

Pinned topic (TDS) how to lock user

‏2013-10-30T05:05:10Z |

I want to lock a user by using pwdAccountLockedTime attribute but when i try to modify attribute it away said object violation error

i had follow this page but nothing happen

https://www-304.ibm.com/ support/docview.wss?uid= swg21459410

 

i using TDI 7.1.1 to modify TDS 

  • franzw
    franzw
    330 Posts
    ACCEPTED ANSWER

    Re: (TDS) how to lock user

    ‏2013-10-30T07:18:25Z  in response to Mcdz

    What is your error - without that I am totally lost - my mind reading is not that good :-)

    I think it is time to to mention : http://www.catb.org/esr/faqs/smart-questions.html again...

    As the APAR/Technote is the result of one of my PMRs IIRC I understand your problem very well - but without the error message and your hook script it is very difficult to give you any advice....

    Regards

    Franz Wolfhagen

    • Mcdz
      Mcdz
      35 Posts
      ACCEPTED ANSWER

      Re: (TDS) how to lock user

      ‏2013-10-30T07:26:32Z  in response to franzw

      LOL , sorry i will be more careful about my question . i get this error

      CTGDIS077I Failed with error: [LDAP: error code 65 - Object Class Violation].

      When i tried to update attribute value "TRUE" to pwdAccountLockedTime attribute

      Hook Script

      before initialize

      thisConnector.connector.setServerAdminControl(true);

       

      TDI error log

      [LDAP_DisOrEn] CTGDIS004I *** Finished dumping Entry

      14:30:23,208 INFO  - [LDAP_DisOrEn] CTGDJQ028I No distinguished name ($dn attribute ) was given. The existing distinguished name will be used to modify the entry.
      14:30:23,208 INFO  - [LDAP_DisOrEn] CTGDJQ039I Dumping LDAP Connector Modification List...
      14:30:23,208 INFO  - [LDAP_DisOrEn] CTGDJQ040I Modification item: Operation is replace attribute: pwdAccountLockedTime: true.
      14:30:23,208 INFO  - [LDAP_DisOrEn] CTGDJQ041I Finished dumping LDAP Connector Modification List.
      14:30:23,224 INFO  - [LDAP_DisOrEn] CTGDIS495I handleException , update, javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; Remaining name: 'cn=muan fan,cn=user, cn=container, o=acme, CN=LOCALHOST'
      14:30:23,224 ERROR - [LDAP_DisOrEn] CTGDIS810E handleException - cannot handle exception , update 
      javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; Remaining name: 'cn=muan fan,cn=user, cn=container, o=acme, CN=LOCALHOST'
      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3110)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3025)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2832)
      at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1470)
      at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:267)
      at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:184)
      at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:178)
      at com.ibm.di.connector.LDAPConnector.modEntry(LDAPConnector.java:1025)
      at com.ibm.di.server.AssemblyLineComponent.executeOperation(AssemblyLineComponent.java:3330)
      at com.ibm.di.server.AssemblyLineComponent.modify(AssemblyLineComponent.java:1883)
      at com.ibm.di.server.AssemblyLineComponent.update(AssemblyLineComponent.java:1733)
      at com.ibm.di.server.AssemblyLine.msExecuteNextConnector(AssemblyLine.java:3737)
      at com.ibm.di.server.AssemblyLine.executeMainStep(AssemblyLine.java:3351)
      at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:2960)
      at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:2943)
      at com.ibm.di.server.AssemblyLine.executeAL(AssemblyLine.java:2912)
      at com.ibm.di.server.AssemblyLine.run(AssemblyLine.java:1311)
      14:30:23,224 ERROR - CTGDIS266E Error in NextConnectorOperation. Exception occurred: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; Remaining name: 'cn=muan fan,cn=user, cn=container, o=acme, CN=LOCALHOST' 
      javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; Remaining name: 'cn=muan fan,cn=user, cn=container, o=acme, CN=LOCALHOST'
      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3110)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3025)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2832)
      at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1470)
      at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:267)
      at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:184)
      at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:178)
      at com.ibm.di.connector.LDAPConnector.modEntry(LDAPConnector.java:1025)
      at com.ibm.di.server.AssemblyLineComponent.executeOperation(AssemblyLineComponent.java:3330)
      at com.ibm.di.server.AssemblyLineComponent.modify(AssemblyLineComponent.java:1883)
      at com.ibm.di.server.AssemblyLineComponent.update(AssemblyLineComponent.java:1733)
      at com.ibm.di.server.AssemblyLine.msExecuteNextConnector(AssemblyLine.java:3737)
      at com.ibm.di.server.AssemblyLine.executeMainStep(AssemblyLine.java:3351)
      at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:2960)
      at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:2943)
      at com.ibm.di.server.AssemblyLine.executeAL(AssemblyLine.java:2912)
      at com.ibm.di.server.AssemblyLine.run(AssemblyLine.java:1311)
      Updated on 2013-10-30T07:35:35Z at 2013-10-30T07:35:35Z by Mcdz
      • franzw
        franzw
        330 Posts
        ACCEPTED ANSWER

        Re: (TDS) how to lock user

        ‏2013-10-30T07:40:03Z  in response to Mcdz

        Well - the ldap server is trying to tell you that something is violating the ldap schema...

        I assume that your ldap server is a TDS - have you been able to make this change using e.g. Web Administration Tool ?

        The ibmslapd.log may tell you a little more - what does that report ?

        The reason here may also be that your output map is containing other attributes that the pwdAccountLockedTime - is that the case you have to correct that. If not - is the value of pwdAccountLockedTime in GeneralizedTime format as required by the ldap server ?

        HTH

        Regards

        Franz Wolfhagen

        Updated on 2013-10-30T07:43:53Z at 2013-10-30T07:43:53Z by franzw
        • Mcdz
          Mcdz
          35 Posts
          ACCEPTED ANSWER

          Re: (TDS) how to lock user

          ‏2013-10-30T08:28:12Z  in response to franzw

          i do try using web administration tool but getting the same error (i had use GeneralizedTime format for example 20131030150000Z)

          i added pwdAccountLockedTime into inetorgperson objectclass by myself to test this because pwdAccountLockedTime attribute owned by

          ibm-slapdPwdPolicyAdmininetOrgPerson objectclass.

          i had check on web administration tool pwdAccountLockedTime require Generalized Time syntax 

          how to check if it containing other attribute?

          nothing recorded on ibmslapd.log 

          Oct 30 12:03:24 2013 GLPSRV041I Server starting.
          Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
          Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.dll.
          Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libldaprepl.dll.
          Oct 30 12:03:25 2013 GLPSRV155I The DIGEST-MD5 SASL Bind mechanism is enabled in the configuration file.
          Oct 30 12:03:25 2013 GLPCOM021I The preoperation plugin is successfully loaded from libDigest.dll.
          Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
          Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.dll.
          Oct 30 12:03:25 2013 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.dll.
          Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.dll.
          Oct 30 12:03:25 2013 GLPCOM025I The audit plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libldapaudit.dll.
          Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
          Oct 30 12:03:25 2013 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.dll.
          Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.dll.
          Oct 30 12:03:25 2013 GLPCOM022I The database plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libback-config.dll.
          Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.dll.
          Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.dll.
          Oct 30 12:03:25 2013 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.dll.
          Oct 30 12:03:25 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.dll.
          Oct 30 12:03:25 2013 GLPCOM022I The database plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libback-rdbm.dll.
          Oct 30 12:03:25 2013 GLPCOM010I Replication plugin is successfully loaded from C:/PROGRA~1/IBM/LDAP/V6.3/lib64/libldaprepl.dll.
          Oct 30 12:03:25 2013 GLPSRV189I Virtual list view support is enabled.
          Oct 30 12:03:25 2013 GLPCOM021I The preoperation plugin is successfully loaded from libpta.dll.
          Oct 30 12:03:25 2013 GLPSRV194I The Record Deleted Entries feature is disabled. Deleted entries are immediately removed from the database.
          Oct 30 12:03:25 2013 GLPSRV207I Group conflict resolution during replication is disabled.
          Oct 30 12:03:25 2013 GLPSRV200I Initializing primary database and its connections.
          Oct 30 12:03:29 2013 GLPRDB126I The directory server will not use DB2 selectivity.
          Oct 30 12:03:30 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libloga.dll.
          Oct 30 12:03:30 2013 GLPCOM024I The extended Operation plugin is successfully loaded from libidsfget.dll.
          Oct 30 12:03:30 2013 GLPSRV180I Pass-through authentication is disabled.
          Oct 30 12:03:30 2013 GLPCOM003I Non-SSL port initialized to 389.
          Oct 30 12:03:33 2013 GLPRPL137I Restricted Access to the replication topology is set to false.
          Oct 30 12:03:34 2013 GLPSRV009I 6.3.0.0 server started.
          Oct 30 12:03:34 2013 GLPRPL136I Replication conflict resolution mode is set to true.
          Oct 30 12:03:34 2013 GLPSRV048I Started 15 worker threads to handle client requests.
          Oct 30 12:03:34 2013 GLPSRV049I Started 10 handler threads to service established client connections.
          Oct 30 12:03:35 2013 GLPSRV212I The LDAP trace utility 'ldtrc' is disabled.
          Oct 30 12:03:35 2013 GLPSRV214I The LDAP Server is not recording binary trace.
          Oct 30 12:03:35 2013 GLPSRV216I The LDAP Server is not recording ascii trace.
          Oct 30 14:01:51 2013 GLPSRV202I During the last hour 0 updates were received from suppliers and 6 updates were received from other clients.
          Oct 30 14:01:51 2013 GLPSRV212I The LDAP trace utility 'ldtrc' is disabled.
          Oct 30 14:01:51 2013 GLPSRV214I The LDAP Server is not recording binary trace.
          Oct 30 14:01:51 2013 GLPSRV216I The LDAP Server is not recording ascii trace.
          Oct 30 15:02:42 2013 GLPSRV202I During the last hour 0 updates were received from suppliers and 18 updates were received from other clients.
          Oct 30 15:02:42 2013 GLPSRV212I The LDAP trace utility 'ldtrc' is disabled.
          Oct 30 15:02:42 2013 GLPSRV214I The LDAP Server is not recording binary trace.
          Oct 30 15:02:42 2013 GLPSRV216I The LDAP Server is not recording ascii trace.
           

           

          • franzw
            franzw
            330 Posts
            ACCEPTED ANSWER

            Re: (TDS) how to lock user

            ‏2013-10-30T08:55:17Z  in response to Mcdz

            You should defintely not add them to your schema - the password attributes are "operational attributes" - i.e. they are hidden from the normal user but are always available if the context is right - e.g. you have password policies enabled IIRC in this specific case.

            See here : http://www-01.ibm.com/support/docview.wss?uid=swg21179419

            You may want to study the password policies a little more before continuing - take a look here : http://www.ibm.com/developerworks/tivoli/library/t-tdspp-ect/ and in the formal doc : https://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.IBMDS.doc%2Fadmin_gd191.htm

            For the general operational attribute concept I can recommend zytrax.com with their excellent ldap guide : http://www.zytrax.com/books/ldap/ch3/

            HTH

            Regards

            Franz Wolfhagen

            • Mcdz
              Mcdz
              35 Posts
              ACCEPTED ANSWER

              Re: (TDS) how to lock user

              ‏2013-10-30T10:38:59Z  in response to franzw

              thank you i got a lot from you franzw. it's say pwdAccountLockedTime attribute will not appear if account is not locked

              but when i locked the account it still not work or it just only for admin group?

              • franzw
                franzw
                330 Posts
                ACCEPTED ANSWER

                Re: (TDS) how to lock user

                ‏2013-10-30T11:11:20Z  in response to Mcdz

                you will have to explicitly ask for the attribute to be shown in your ldapsearch eg. :

                ldapsearch - b <base> -D cn=root -w <password> uid=<userid> pwdAccountLockedTime

                or

                ldapsearch - b <base> -D cn=root -w <password> uid=<userid> ++

                The "++" gives you ALL operational atributes.

                In TDI if you want the operational attributes returned you must list them on the "Return Attribute" on the "Advanced" part of the Connection setup.

                HTH

                Regards

                Franz Wolfhagen

                • Mcdz
                  Mcdz
                  35 Posts
                  ACCEPTED ANSWER

                  Re: (TDS) how to lock user

                  ‏2013-10-31T02:37:13Z  in response to franzw

                  Thank you for you advise i had learn a lot from you

                  i'm missunderstand pwdaccountlockedtime is not use to lock account but it's date of when account get lock right?

                  the attribute use to lock an account is ibm-pwdaccountlocked. and i did not check set operation attribute checkbox so i guess it's not operation attribute. it will getting error if i check set operation attribute checkbox.

                  how to modify javascript to return an operation attribute? i never use this function before sorry i have no idea about this 

                  {work.pwdaccountlockedtime}
                  {conn.pwdaccountlockedtime}
                  {config.<param>}
                  {config.$directory}
                   

                  this is error log when i try to check set operation attribute check box

                  CTGDIS077I Failed with error: OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]

                  NextConnectorOperation. Exception occurred: javax.naming.OperationNotSupportedException:

                   

                  Updated on 2013-10-31T05:02:20Z at 2013-10-31T05:02:20Z by Mcdz
                  • franzw
                    franzw
                    330 Posts
                    ACCEPTED ANSWER

                    Re: (TDS) how to lock user

                    ‏2013-10-31T07:28:51Z  in response to Mcdz

                    The pwdaccountlockedtime is the timestamp in generalized time (aka zulu time) of the point in time the locking is performed.

                    When working with operational attribute you may end up in this "missing critical extension" - so either you have to ensure that your running with administrative control - and in some cases add the extension yourself.

                    Now - working with that level is not for the fainthearted. I have not worked with setting the pwdaccountlockedtime - but it should be governed internally in TDS with a specific control - and that control must be set to critical.

                    This is example is for the persistent search control - and requires that you add the TDS IBMLDAPJavaBer.jar and TDSJNDIToolkit.jar to be included in your TDI classpath :

                    // PersistentSearchControl example - before initia
                    control = new com.ibm.ldap.bp.ctl.PersistentSearchControl(com.ibm.ldap.bp.ctl.PersistentSearchControl.ANY,false, false);
                    control.setCriticality(true);
                    controlArray = java.lang.reflect.Array.newInstance(control.getClass(), 1);
                    controlArray[0] = control;
                    thisConnector.connector.getLdapContext().setRequestControls(controlArray);

                    I do not want to go into details about using reflection API and that kind of stuff - as I said this is NOT trivial stuff - and I do not have the time right now to dive into the details for this.

                    You should be able to find the controls here : http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDS.doc/progref484.htm?path=8_9_5_1#wq528 in general the programming reference is what you need to consult for this level of TDS manipulating.

                    HTH

                    Regards

                    Franz Wolfhagen

                    • Mcdz
                      Mcdz
                      35 Posts
                      ACCEPTED ANSWER

                      Re: (TDS) how to lock user

                      ‏2013-10-31T08:31:48Z  in response to franzw

                      Thank you franz at least i got what i need already now . i can lookup for locked account .

                      i'll not set it. i'll just get the value from pwdaccountlockedtime value.

                      I  don't know it will get this far. i'm so sorry