[389-users] Disable Inactive Users After 90 days

Jim Finn jamespfinn at gmail.com
Wed May 9 16:13:57 UTC 2012 

Are you doing this via an ldif file or stdin?

Try
echo -e "dn: uid=username,ou=people,dc=domain,dc=local\nchangetype:
delete\ndelete:
lastLoginTime\n\n" | ldapmodify -x -h yourhost -D"cn=directory manager"
-wPaSsWoRd

Jim

On Wed, May 9, 2012 at 11:09 AM, Rich Megginson <rmeggins at redhat.com> wrote:

>  On 05/09/2012 10:09 AM, Ali Jawad wrote:
>
> Hi Rich
> Seems I still got a problem, the users can't logon anymore, I did try to
>
>  dn: uid=username,ou=people,dc=domain,dc=local
> changetype: delete
> delete: lastLoginTime
>
>  But I keep getting
>
>  ldapmodify: extra lines at end (line 3 of entry
> "uid=username,ou=people,dc=domain,dc=local")
>
>  I checked for whitespaces, extra lines..but still same issue
>
>  I did also check for lastLoginTime values in the users in the interface,
> but the value is empty..so not sure if this is the problem at all
>
>
> does ldapmodify -d 1 give any more useful information?
>
>
>
>  Regards
>
>
>
>
>
>  On Wed, May 9, 2012 at 5:26 PM, Ali Jawad <ali.jawad at splendor.net> wrote:
>
>> Hi Rich
>> Your help is highly appreciated, I got it working, thanks for your
>> patience.
>> Regards
>>
>>
>> On Wed, May 9, 2012 at 5:19 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>
>>>  On 05/09/2012 08:17 AM, Ali Jawad wrote:
>>>
>>> Hi
>>> Thanks Rich, just what I was searching for, I am facing a problem though
>>> "ldapmodify: No such object (32) matched DN: dc=domain,dc=local"at :
>>>
>>>  [user at server ~]$ ldapmodify *-a* -D "cn=directory manager" -w secret -p 389 -h server.example.com -x
>>>
>>> dn: cn=Account Inactivation Policy,dc=example,dc=com
>>>
>>> objectClass: top
>>> objectClass: ldapsubentry
>>> objectClass: extensibleObject*objectClass: accountpolicy**accountInactivityLimit: 2592000*
>>> cn: Account Inactivation Policy
>>>
>>>
>>>  I am doing
>>>
>>>  [root at 386-100-16 dirsrv]# ldapmodify -D "cn=directory manager" -w
>>> password  -p 389 -h x.x.x.x   -x
>>>
>>>  dn: cn=Account Inactivation Policy,dc=domain,dc=local
>>> objectClass: top
>>> objectClass: ldapsubentry
>>> objectClass: extensibleObject
>>> objectClass: accountpolicy
>>> accountInactivityLimit: 2592000
>>> cn: Account Inactivation Policy
>>> modifying entry "cn=Account Inactivation Policy,dc=domain,dc=local"
>>>
>>>  ldapmodify: No such object (32)
>>>         matched DN: dc=domain,dc=local
>>>
>>>
>>> Right.  You are missing the ldapmodify -a - see the original
>>> instructions
>>>
>>>
>>>
>>> On Wed, May 9, 2012 at 4:47 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>>
>>>>   On 05/09/2012 07:45 AM, Ali Jawad wrote:
>>>>
>>>> Hi
>>>> I have a requirement to disable inactive users after 90 days. I did
>>>> read  http://directory.fedoraproject.org/wiki/Account_Policy_Design
>>>> but I am not sure whether this is a design proposal or the
>>>> actual implementation.
>>>>
>>>>  My DS version is :
>>>>
>>>>  rpm -qa | grep 389
>>>> 389-admin-console-1.1.8-1.el5
>>>> 389-ds-base-1.2.9.9-1.el5
>>>> 389-dsgw-1.1.7-2.el5
>>>> 389-console-1.1.7-3.el5
>>>> 389-adminutil-1.1.14-1.el5
>>>> 389-admin-1.1.23-1.el5
>>>> 389-admin-console-doc-1.1.8-1.el5
>>>> 389-ds-1.2.1-1.el5
>>>> 389-ds-base-libs-1.2.9.9-1.el5
>>>> 389-ds-console-1.2.6-1.el5
>>>> 389-ds-console-doc-1.2.6-1.el5
>>>>
>>>>  I got
>>>>
>>>>  [root at 386-100-16 dirsrv]# ldapsearch -x -D "cn=Directory manager" -w
>>>> Password -b "cn=config" -s base lastLoginTime
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <cn=config> with scope baseObject
>>>> # filter: (objectclass=*)
>>>> # requesting: lastLoginTime
>>>> #
>>>>
>>>>  # config
>>>> dn: cn=config
>>>>
>>>>  # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>>  # numResponses: 2
>>>> # numEntries: 1
>>>>
>>>>  and
>>>>
>>>>  [root at 386-100-16 dirsrv]# grep -i lastlogintime
>>>> /etc/dirsrv/slapd-386-100-16/schema/*
>>>> /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime
>>>> holds login state in user entries (GeneralizedTime syntax)
>>>> /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: (
>>>> 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime'
>>>>
>>>>  I am not sure how to implement this though, please advice.
>>>>
>>>>
>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html
>>>>
>>>>
>>>>  Regards
>>>>
>>>>
>>>>
>>>> --
>>>> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>>
>>>>
>>>
>>>
>>>  --
>>> *Ali Jawad
>>> *
>>> *Information Systems Manager*
>>> *Splendor Telecom (www.splendor.net)
>>> Beirut, Lebanon
>>> Phone: +9611373725/ext 116
>>> FAX: +9611375554*
>>>
>>>
>>>
>>
>>
>>  --
>> *Ali Jawad
>> *
>> *Information Systems Manager*
>> *Splendor Telecom (www.splendor.net)
>> Beirut, Lebanon
>> Phone: +9611373725/ext 116
>> FAX: +9611375554*
>>
>>
>
>
>  --
> *Ali Jawad
> *
> *Information Systems Manager*
> *Splendor Telecom (www.splendor.net)
> Beirut, Lebanon
> Phone: +9611373725/ext 116
> FAX: +9611375554*
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120509/7b34f635/attachment.html>

More information about the 389-users mailing list