directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <>
Subject Re: Using REST API to get user's locked and reset states
Date Wed, 14 Jun 2017 18:07:04 GMT

> On Jun 14, 2017, at 12:07 PM, Shawn McKinney <> wrote:
> That was a work-around, and not recommended as solution as there will prolly be some
(other) problems in the apis you will encounter, when you call other methods, and they attempt
some auditing operations.
> So, if you can use latest source, pull, and change the server type back to apacheds.
> If you can’t, add this flag to, which will disable going down code
pathways specific to slapd auditing, which isn’t support on apacheds:
> disable.audit=true
> Later, when you upgrade to next release, you can remove the audit flag and simply use
>> ldap.server.type=apacheds

a bit more on this topic...

Here’s the ticket where the apacheds pw policy work is being tracked:

Most of the code changes were in the administrative functions, i.e. editing (new) password
policy objects.  ADS prepends ‘ads’ to all of the attribute names in the policy object

The policy attributes attached to user, i.e. pwdreset, pwdlocked, pwdhistory, are the same
in either server impl. 

I did have to do some work to make sure that when you set a password policy on a user account,
i.e. using pwdpolicysubentry, it points to the correct location, as ADS requires these policy
objects to be located in a specific ou in the DIT, as mentioned earlier.

There was also work just done, to manually removing the pwdreset flag on changepassword api.

For these reasons, you’re going to want to use latest code.  The good news, expect a new
release sometime in July, that has all of this new code working.  :-)

View raw message