How do I remove an operational attribute using ldaptemplate

StackOverflow https://stackoverflow.com/questions/20946063

Question

I need to remove the operational attribute from the policy overlay called pwdAccountLockedTime

I followed this Q&A which suggest way number 2:

Use LdapTemplate#modifyAttributes(Name, ModificationItem[]) directly, manually building the ModificationItem array.

Here's my code:

Name dn = buildDn(user);
DirContextOperations context = ldapTemplate.lookupContext(dn);
ModificationItem[] modificationItems;
modificationItems = new ModificationItem[1];
modificationItems[0] = new ModificationItem(DirContextAdapter.REMOVE_ATTRIBUTE,
                                            new BasicAttribute(
                                                 "pwdAccountLockedTime", dn));
ldapTemplate.modifyAttributes(dn,modificationItems);

I checked the user and that attribute still exist there.

What am I missing?

Was it helpful?

Solution 2

It appears your intent is to unlock an account which has been locked by too many incorrect password attempts in OpenLdap.

If the user account is locked (pwdLockout is TRUE) then it may be unlocked by an administrator using either of the following procedures:

Delete the operational attribute pwdAccountLockedTime. This procedure allows the user to continue to use the current password and is only effective if the password has not expired.

Add the operational attribute pwdReset with a value of either TRUE or FALSE. FALSE is only effective if the password has not expired and has the same effect as deleting pwdAccountLockedTime.

In most openLDAP versions, you can remove the pwdAccountLockedTime.

Some versions may require using the ManageDIT control. Both of these assuming you have proper permissions.

According to rfc4512 section 3.4, "Not all operational attributes are user modifiable."

-jim

OTHER TIPS

If you want to delete the pwdAccountLockedTime attribute then you have to specify admin credentials while configuring LDAP. Users don't have access to delete operational attributes.you can take below code as a reference. 

       Name dn = buildDn(pvo);

       DirContextOperations context = ldapTemplate.lookupContext(dn);
       ModificationItem[] modificationItems;
       modificationItems = new ModificationItem[1];


       modificationItems[0] =new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("pwdAccountLockedTime"));

   ldapTemplate.modifyAttributes(dn,modificationItems);

Note: buildDn() is a separate method.

  protected Name buildDn(PersonVo p) {
    return LdapNameBuilder.newInstance(BASE_DN)
      .add("","")    // add your root
      .add("", "")    // add your root
      .add("cn", p.getFullname())
      .build();
  }

I am getting this PersonVo object from the postman, based on that I am building Dn.

Here is the Configuration code

@Configuration public class Config {

@Bean
public LdapContextSource ldapContextSource()
{
    LdapContextSource lcs= new LdapContextSource();
    lcs.setUrl("Your url");
    lcs.setUserDn("yourDn");
    lcs.setPassword("yourpassword");
    return lcs;
}

}

If you won't specify the admin credentials this code doesn't work

You don't. Operational attributes are for the LDAP server, not for applications. They are read-only to applications.

However this specific attribute can be changed by an administrator account. The only other way to change it is for the lockout to expire . Otherwise only a password administrator can unlock the account: see #5.3.3.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top