On Monday, 22 March 2010 12:40:47 Chris Jacobs wrote:
Howard, Tyler, Michael,
My apologies: I take that back. The entry is indeed on the account - and it is, in fact, a system attribute.
I will endeavor to not reply to messages at 4am in the future - a bit too quick on the /assume/ thing.
BTW: How do you identify whether an attribute will be a system attribute or not? I've plenty to learn on ldap, but even I knew to look at the schema file
- and I'm not certain how one could know whether an attribute would be a
system attribute.
The "USAGE directoryOperation" is the key:
[bgmilne@tiger ~]$ ldapsearch -x -s base -b cn=subschema attributetypes|perl -p0e 's/\n //g'|grep pwdPolicySubentry attributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC 'The pwdPolicy subentry in effect for this object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE USAGE directoryOperation )
On an existing entry, you can ask for only the operational attributes with the '+' modifier, e.g.:
[bgmilne@tiger ~]$ ldapsearch -x -LLL uid=bgmilne '+' dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com structuralObjectClass: inetOrgPerson entryUUID: 8b74bea0-f20d-101e-8cdf-6105b6f2f478 creatorsName: uid=account admin,ou=system accounts,dc=ranger,dc=dnsailas,dc=co m createTimestamp: 19960203002836Z pwdPolicySubentry: cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=co m pwdChangedTime: 20100319092937Z entryCSN: 20100323080111.520646Z#000000#003#000000 modifiersName: cn=manager,dc=ranger,dc=dnsalias,dc=com modifyTimestamp: 20100323080111Z entryDN: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com subschemaSubentry: cn=Subschema hasSubordinates: FALSE
Regards, Buchan