I'll begin by apologizing. I'm fairly new at IDM & LDAP in general (I was handed this product when my boss left the company). I've had no formal training & I'm (so far) trying to learn this on my own. Usually I can figure it out, but this has really stumped me. If you read what's below & think I'm going in a completely wrong direction, please let me know what other options I may have. Also, please let me know if you need more information. I'll be happy to share it with you.
So I'm trying to push logindisabled to OpenLDAP (LDAP Driver v.3.5.2) so that our applications can filter on who's enabled & who isn't. The issue is there's a syntax problem when trying to populate logindisabled to the OpenLDAP instance (openldap-2.3.27-1).
I started by setting up a new attribute in our OpenLDAP schema & specifying it to be boolean.
|
Code:
|
attributetype (2.5.4.55 NAME 'logindisabled'
DESC 'If this value is TRUE, account is inactive, otherwise it is active.'
EQUALITY booleanMatch
SINGLE-VALUE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) |
Then I setup Login Disabled in the filter for the subscriber & added it to the schema map for the driver. When an event comes through (i.e. disabling the account in Active Directory), this is the error I get from the command.
|
Code:
|
[10/28/09 16:55:03.714]:LDAP-QA-MASTER ST:
DirXML Log Event -------------------
Driver: \COMPANY\com\company\Company Identity\LDAP-QA-MASTER
Channel: Subscriber
Object: \COMPANY\com\company\users\zmonkey
Status: Error
Message: LDAPException: Invalid Attribute Syntax (21) Invalid Attribute Syntax
LDAPException: Server Message: logindisabled: value #0 invalid per syntax
LDAPException: Matched DN:
[10/28/09 16:55:04.058]:LDAP-QA-MASTER ST:End transaction. |
Populating the field through ldapmodify works just fine (as long as it's uppercase...not sure, but this may be the problem).
|
Code:
|
user@host:~$ ldapmodify -x -W -D 'cn=admin,dc=company,dc=com' -H ldaps://host.qa
Enter LDAP Password:
dn: uid=zmonkey,ou=users,dc=company,dc=com
changetype: modify
replace: logindisabled
logindisabled: TRUE
-
modifying entry "uid=zmonkey,ou=users,dc=company,dc=com"
dn: uid=zmonkey,ou=users,dc=company,dc=com
changetype: modify
replace: logindisabled
logindisabled: false
-
modifying entry "uid=zmonkey,ou=users,dc=company,dc=com"
ldap_modify: Invalid syntax (21)
additional info: logindisabled: value #0 invalid per syntax |
As you can see...using lowercase values won't work. This may not be the problem, because I can't actually see what the driver is trying to send. From the trace, it looks like lowercase.
The full trace is attached.
eDir -> OpenLDAP | Login Disabled
Threaded Mode
