[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: attribute 'pwdPolicySubentry' cannot have multiple values

On Monday, 22 March 2010 12:40:47 Chris Jacobs wrote:
> Howard, Tyler, Michael,
> My apologies: I take that back.  The entry is indeed on the account - and
>  it is, in fact, a system attribute.
> I will endeavor to not reply to messages at 4am in the future - a bit too
>  quick on the /assume/ thing.
> BTW:
> How do you identify whether an attribute will be a system attribute or not?
>   I've plenty to learn on ldap, but even I knew to look at the schema file
>  - and I'm not certain how one could know whether an attribute would be a
>  system attribute.

The "USAGE directoryOperation" is the key:

[bgmilne@tiger ~]$ ldapsearch  -x -s base -b cn=subschema attributetypes|perl 
-p0e 's/\n //g'|grep pwdPolicySubentry
attributeTypes: ( NAME 'pwdPolicySubentry' DESC 
'The pwdPolicy subentry in effect for this object' EQUALITY 
distinguishedNameMatch SYNTAX SINGLE-VALUE USAGE 
directoryOperation )

On an existing entry, you can ask for only the operational attributes with the 
'+' modifier, e.g.:

[bgmilne@tiger ~]$ ldapsearch -x -LLL uid=bgmilne '+'
dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
structuralObjectClass: inetOrgPerson
entryUUID: 8b74bea0-f20d-101e-8cdf-6105b6f2f478
creatorsName: uid=account admin,ou=system accounts,dc=ranger,dc=dnsailas,dc=co
createTimestamp: 19960203002836Z
pwdPolicySubentry: cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=co
pwdChangedTime: 20100319092937Z
entryCSN: 20100323080111.520646Z#000000#003#000000
modifiersName: cn=manager,dc=ranger,dc=dnsalias,dc=com
modifyTimestamp: 20100323080111Z
entryDN: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE