[Date Prev][Date Next] [Chronological] [Thread] [Top]

Setting userPassword and pwdChangedTime together with Relax Rules Control


I've implemented a sync job which has to also sync passwords with a password
modification timestamp from an Oracle DB to OpenLDAP. There's a latency in
this password sync so the exact password modification timestamp has to be
copied from the source DB to attribute pwdChangedTime in OpenLDAP.

Setting the pwdChangedTime alone with the Relax Rules control is no problem.
But when the add or modify request also contains the userPassword attribute
slapo-ppolicy also wants to add a (later) value for pwdChangedTime and this
results in:

Constraint violation: attribute 'pwdChangedTime' cannot have multiple values

Any chance to achieve this in a single add/modify request? I think this
scenario is not so unusual in the real world. So slapo-ppolicy should not
generate 'pwdChangedTime' if it's already in the write request in case of
Relax Rules control enabled.

Ciao, Michael.