pwdPolicySubentry is an operational attribute. It will not be returned in search results unless you explicitly request it or use + in your requested attribute
list.
If you change the add to a replace in your ldif file your modify operation should succeed.
JON C KIDDER
|
MIDDLEWARE ADMINISTRATOR LEAD
|
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org]
On Behalf Of Douglas Duckworth
Sent: Wednesday, October 25, 2017 9:24 AM
To: Openldap Technical
Subject: [EXTERNAL] pwdPolicySubentry: value #0 already exists
This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments. If suspicious please forward to
incidents@aep.com for review. |
Hi
I am trying to make sure my bind Service Account's password does not expire. I set this in ou=Policies with the intention that the policy would only be applied to this user:
# Policies, domain
dn: ou=Policies,domain
ou: Policies
objectClass: organizationalUnit
# CustomBindAccountPolicy, Policies, domain
dn: cn=CustomBindAccountPolicy,ou=Policies,domain
objectClass: person
objectClass: top
cn: passwordDefault
cn: CustomBindAccountPolicy
sn: passwordDefault
pwdAttribute: userPassword
pwdMinAge: 0
pwdMaxAge: 0
pwdLockout: FALSE
However, I do not see this dn referenced on the user:
# importantuser, Service Accounts, domain
dn: uid=importantuser,ou=Service Accounts,domain
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: extensibleObject
uid: binduser
cn: bind
sn: user
givenName: binduser
title: Account
loginShell: /dev/null
uidNumber: 123
gidNumber: 456
homeDirectory: /dev/null
description: Service Account
userPassword:: password123
When I try to add using ldapadd and this ldif:
dn: uid=importantuser,ou=Service Accounts,domain
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=CustomBindAccountPolicy,ou=Policies,dc=davinci,dc=med,dc=cornell,dc=edu
I get this error:
me@nsa[~/ldap]$ ladd server.ldif
Enter LDAP Password:
modifying entry "uid=importantuser,ou=Service Accounts,domain"
ldap_modify: Type or value exists (20)
additional info: modify/add: pwdPolicySubentry: value #0 already exists
Do you have any idea what could be happening? My ACL's allow the binduser to see everything so I don't understand what's happening.
Thank you very much!
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E:
doug@med.cornell.edu
O: 212-746-6305
F: 212-746-8690