Re: Disable Inactive Users After 90 days

[Ali Jawad <ali.jawad@xxxxxxxxxxxx>]

Hi Rich

Your help is highly appreciated, I got it working, thanks for your patience.
Regards

On Wed, May 9, 2012 at 5:19 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:

On 05/09/2012 08:17 AM, Ali Jawad wrote:

Hi

Thanks Rich, just what I was searching for, I am facing a problem though "ldapmodify: No such object (32) matched DN: dc=domain,dc=local"at :

[user@server ~]$ ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com -x

dn: cn=Account Inactivation Policy,dc=example,dc=com

objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 2592000
cn: Account Inactivation Policy

I am doing 

[root@386-100-16 dirsrv]# ldapmodify -D "cn=directory manager" -w password  -p 389 -h x.x.x.x   -x

dn: cn=Account Inactivation Policy,dc=domain,dc=local

objectClass: top

objectClass: ldapsubentry

objectClass: extensibleObject

objectClass: accountpolicy

accountInactivityLimit: 2592000

cn: Account Inactivation Policy

modifying entry "cn=Account Inactivation Policy,dc=domain,dc=local"

ldapmodify: No such object (32)

        matched DN: dc=domain,dc=local

Right.  You are missing the ldapmodify -a - see the original instructions

On Wed, May 9, 2012 at 4:47 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:

On 05/09/2012 07:45 AM, Ali Jawad wrote:

Hi

I have a requirement to disable inactive users after 90 days. I did read  http://directory.fedoraproject.org/wiki/Account_Policy_Design  but I am not sure whether this is a design proposal or the actual implementation. 

My DS version is :

rpm -qa | grep 389

389-admin-console-1.1.8-1.el5

389-ds-base-1.2.9.9-1.el5

389-dsgw-1.1.7-2.el5

389-console-1.1.7-3.el5

389-adminutil-1.1.14-1.el5

389-admin-1.1.23-1.el5

389-admin-console-doc-1.1.8-1.el5

389-ds-1.2.1-1.el5

389-ds-base-libs-1.2.9.9-1.el5

389-ds-console-1.2.6-1.el5

389-ds-console-doc-1.2.6-1.el5

I got 

[root@386-100-16 dirsrv]# ldapsearch -x -D "cn=Directory manager" -w Password -b "cn=config" -s base lastLoginTime

# extended LDIF

#

# LDAPv3

# base <cn=config> with scope baseObject

# filter: (objectclass=*)

# requesting: lastLoginTime 

#

# config

dn: cn=config

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1

and 

[root@386-100-16 dirsrv]# grep -i lastlogintime /etc/dirsrv/slapd-386-100-16/schema/*

/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime holds login state in user entries (GeneralizedTime syntax)

/etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime'

I am not sure how to implement this though, please advice.

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html

Regards

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--

Ali Jawad

Information Systems Manager

Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554

--

Ali Jawad

Information Systems Manager

Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users