Thanks so much, Jon! I can see it clearly now!
# Service Accounts, domain dn: ou=Service Accounts,domain # g14classified, Service Accounts, domain dn: uid=g14classified,ou=Service Accounts,domain pwdPolicySubentry: cn=CustomBindAccountPolicy,ou=Policies,domain Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: [email protected] O: 212-746-6305 F: 212-746-8690 On Wed, Oct 25, 2017 at 9:34 AM, Jon C Kidder <[email protected]> wrote: > pwdPolicySubentry is an operational attribute. It will not be returned in > search results unless you explicitly request it or use + in your requested > attribute list. > > > > If you change the add to a replace in your ldif file your modify operation > should succeed. > > > > > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.aep.com_&d=DwMGaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=pIt46G4v0eZQzhVC07fxh16VcSoPzQBqN6msCUVktl0&s=UF5oE1DZd7TJFcZou5ixxYrd7tK9LW5hsicqqvMhmFs&e=> > > *JON C KIDDER* | *MIDDLEWARE ADMINISTRATOR LEAD* > [email protected] | D:614.716.4970 <(614)%20716-4970> > 1 RIVERSIDE PLAZA, COLUMBUS, OH 43215 > <https://maps.google.com/?q=1+RIVERSIDE+PLAZA,+COLUMBUS,+OH+43215&entry=gmail&source=g> > > > > *From:* openldap-technical [mailto:[email protected]] > *On Behalf Of *Douglas Duckworth > *Sent:* Wednesday, October 25, 2017 9:24 AM > *To:* Openldap Technical > *Subject:* [EXTERNAL] pwdPolicySubentry: value #0 already exists > > > > This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN > attachments. If suspicious please forward to [email protected] for review. > ------------------------------ > > Hi > > > > I am trying to make sure my bind Service Account's password does not > expire. I set this in ou=Policies with the intention that the policy would > only be applied to this user: > > > > # Policies, domain > > dn: ou=Policies,domain > > ou: Policies > > objectClass: organizationalUnit > > > > # CustomBindAccountPolicy, Policies, domain > > dn: cn=CustomBindAccountPolicy,ou=Policies,domain > > objectClass: person > > objectClass: top > > cn: passwordDefault > > cn: CustomBindAccountPolicy > > sn: passwordDefault > > pwdAttribute: userPassword > > pwdMinAge: 0 > > pwdMaxAge: 0 > > pwdLockout: FALSE > > > > However, I do not see this dn referenced on the user: > > > > # importantuser, Service Accounts, domain > > dn: uid=importantuser,ou=Service Accounts,domain > > objectClass: top > > objectClass: account > > objectClass: posixAccount > > objectClass: extensibleObject > > uid: binduser > > cn: bind > > sn: user > > givenName: binduser > > title: Account > > loginShell: /dev/null > > uidNumber: 123 > > gidNumber: 456 > > homeDirectory: /dev/null > > description: Service Account > > userPassword:: password123 > > > > When I try to add using ldapadd and this ldif: > > > > dn: uid=importantuser,ou=Service Accounts,domain > > changetype: modify > > add: pwdPolicySubentry > > pwdPolicySubentry: cn=CustomBindAccountPolicy,ou= > Policies,dc=davinci,dc=med,dc=cornell,dc=edu > > > > I get this error: > > me@nsa[~/ldap]$ ladd server.ldif > > > > Enter LDAP Password: > > modifying entry "uid=importantuser,ou=Service Accounts,domain" > > ldap_modify: Type or value exists (20) > > additional info: modify/add: pwdPolicySubentry: value #0 already > exists > > > > Do you have any idea what could be happening? My ACL's allow the binduser > to see everything so I don't understand what's happening. > > > > Thank you very much! > > > > > Thanks, > > > Douglas Duckworth, MSc, LFCS > HPC System Administrator > Scientific Computing Unit > > Physiology and Biophysics > > Weill Cornell Medicine > > E: [email protected] > O: 212-746-6305 <(212)%20746-6305> > F: 212-746-8690 <(212)%20746-8690> >
