Thanks so much, Jon!

I can see it clearly now!

# Service Accounts, domain
dn: ou=Service Accounts,domain

# g14classified, Service Accounts, domain
dn: uid=g14classified,ou=Service Accounts,domain
pwdPolicySubentry: cn=CustomBindAccountPolicy,ou=Policies,domain


Thanks,

Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug@med.cornell.edu
O: 212-746-6305
F: 212-746-8690

On Wed, Oct 25, 2017 at 9:34 AM, Jon C Kidder <jckidder@aep.com> wrote:

pwdPolicySubentry is an operational attribute.  It will not be returned in search results unless you explicitly request it or use + in your requested attribute list.

 

If you change the add to a replace in your ldif file your modify operation should succeed.

 

JON C KIDDER | MIDDLEWARE ADMINISTRATOR LEAD
JCKIDDER@AEP.COM | D:614.716.4970
1 RIVERSIDE PLAZA, COLUMBUS, OH 43215

 

From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Douglas Duckworth
Sent: Wednesday, October 25, 2017 9:24 AM
To: Openldap Technical
Subject: [EXTERNAL] pwdPolicySubentry: value #0 already exists

 

This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments. If suspicious please forward to incidents@aep.com for review.

Hi

 

I am trying to make sure my bind Service Account's password does not expire.  I set this in ou=Policies with the intention that the policy would only be applied to this user:

 

# Policies, domain

dn: ou=Policies,domain

ou: Policies

objectClass: organizationalUnit

 

# CustomBindAccountPolicy, Policies, domain

dn: cn=CustomBindAccountPolicy,ou=Policies,domain

objectClass: person

objectClass: top

cn: passwordDefault

cn: CustomBindAccountPolicy

sn: passwordDefault

pwdAttribute: userPassword

pwdMinAge: 0

pwdMaxAge: 0

pwdLockout: FALSE

 

However, I do not see this dn referenced on the user:

 

# importantuser, Service Accounts, domain

dn: uid=importantuser,ou=Service Accounts,domain

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: extensibleObject

uid: binduser

cn: bind

sn: user

givenName: binduser

title: Account

loginShell: /dev/null

uidNumber: 123

gidNumber: 456

homeDirectory: /dev/null

description: Service Account

userPassword:: password123

 

When I try to add using ldapadd and this ldif:

 

dn: uid=importantuser,ou=Service Accounts,domain

changetype: modify

add: pwdPolicySubentry

pwdPolicySubentry: cn=CustomBindAccountPolicy,ou=Policies,dc=davinci,dc=med,dc=cornell,dc=edu

 

I get this error:

me@nsa[~/ldap]$ ladd server.ldif                                                                                                                                                                                          

Enter LDAP Password: 

modifying entry "uid=importantuser,ou=Service Accounts,domain"

ldap_modify: Type or value exists (20)

        additional info: modify/add: pwdPolicySubentry: value #0 already exists

 

Do you have any idea what could be happening?  My ACL's allow the binduser to see everything so I don't understand what's happening.

 

Thank you very much!

 


Thanks,


Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit

Physiology and Biophysics

Weill Cornell Medicine