[389-users] Disable Inactive Users After 90 days

Rich Megginson rmeggins at redhat.com
Wed May 9 14:19:42 UTC 2012 

On 05/09/2012 08:17 AM, Ali Jawad wrote:
> Hi
> Thanks Rich, just what I was searching for, I am facing a problem 
> though "ldapmodify: No such object (32) matched DN: 
> dc=domain,dc=local"at :
>
> [user at server ~]$ ldapmodify*-a*  -D "cn=directory manager" -w secret -p 389 -hserver.example.com  <http://server.example.com>  -x
>
> dn: cn=Account Inactivation Policy,dc=example,dc=com
>
> objectClass: top
> objectClass: ldapsubentry
> objectClass: extensibleObject
> *objectClass: accountpolicy*
> *accountInactivityLimit: 2592000*
> cn: Account Inactivation Policy
>
> I am doing
>
> [root at 386-100-16 dirsrv]# ldapmodify -D "cn=directory manager" -w 
> password  -p 389 -h x.x.x.x   -x
>
> dn: cn=Account Inactivation Policy,dc=domain,dc=local
> objectClass: top
> objectClass: ldapsubentry
> objectClass: extensibleObject
> objectClass: accountpolicy
> accountInactivityLimit: 2592000
> cn: Account Inactivation Policy
> modifying entry "cn=Account Inactivation Policy,dc=domain,dc=local"
>
> ldapmodify: No such object (32)
>         matched DN: dc=domain,dc=local

Right.  You are missing the ldapmodify -a - see the original instructions

>
> On Wed, May 9, 2012 at 4:47 PM, Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     On 05/09/2012 07:45 AM, Ali Jawad wrote:
>>     Hi
>>     I have a requirement to disable inactive users after 90 days. I
>>     did read
>>     http://directory.fedoraproject.org/wiki/Account_Policy_Design 
>>     but I am not sure whether this is a design proposal or the
>>     actual implementation.
>>
>>     My DS version is :
>>
>>     rpm -qa | grep 389
>>     389-admin-console-1.1.8-1.el5
>>     389-ds-base-1.2.9.9-1.el5
>>     389-dsgw-1.1.7-2.el5
>>     389-console-1.1.7-3.el5
>>     389-adminutil-1.1.14-1.el5
>>     389-admin-1.1.23-1.el5
>>     389-admin-console-doc-1.1.8-1.el5
>>     389-ds-1.2.1-1.el5
>>     389-ds-base-libs-1.2.9.9-1.el5
>>     389-ds-console-1.2.6-1.el5
>>     389-ds-console-doc-1.2.6-1.el5
>>
>>     I got
>>
>>     [root at 386-100-16 dirsrv]# ldapsearch -x -D "cn=Directory manager"
>>     -w Password -b "cn=config" -s base lastLoginTime
>>     # extended LDIF
>>     #
>>     # LDAPv3
>>     # base <cn=config> with scope baseObject
>>     # filter: (objectclass=*)
>>     # requesting: lastLoginTime
>>     #
>>
>>     # config
>>     dn: cn=config
>>
>>     # search result
>>     search: 2
>>     result: 0 Success
>>
>>     # numResponses: 2
>>     # numEntries: 1
>>
>>     and
>>
>>     [root at 386-100-16 dirsrv]# grep -i lastlogintime
>>     /etc/dirsrv/slapd-386-100-16/schema/*
>>     /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:##
>>     lastLoginTime holds login state in user entries (GeneralizedTime
>>     syntax)
>>     /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes:
>>     ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime'
>>
>>     I am not sure how to implement this though, please advice.
>     http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html
>>
>>     Regards
>>
>>
>>
>>     --
>>     389 users mailing list
>>     389-users at lists.fedoraproject.org  <mailto:389-users at lists.fedoraproject.org>
>>     https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>
> -- 
> *Ali Jawad
> *
> *Information Systems Manager*
> *Splendor Telecom (www.splendor.net <http://www.splendor.net/>)
> Beirut, Lebanon
> Phone: +9611373725/ext 116
> FAX: +9611375554*
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120509/869cd73c/attachment.html>

More information about the 389-users mailing list