Re: attribute 'pwdPolicySubentry' cannot have multiple values

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Monday, 22 March 2010 12:40:47 Chris Jacobs wrote:
> Howard, Tyler, Michael,
> 
> My apologies: I take that back.  The entry is indeed on the account - and
>  it is, in fact, a system attribute.
> 
> I will endeavor to not reply to messages at 4am in the future - a bit too
>  quick on the /assume/ thing.
> 
> BTW:
> How do you identify whether an attribute will be a system attribute or not?
>   I've plenty to learn on ldap, but even I knew to look at the schema file
>  - and I'm not certain how one could know whether an attribute would be a
>  system attribute.


The "USAGE directoryOperation" is the key:

[bgmilne@tiger ~]$ ldapsearch  -x -s base -b cn=subschema attributetypes|perl 
-p0e 's/\n //g'|grep pwdPolicySubentry
attributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC 
'The pwdPolicy subentry in effect for this object' EQUALITY 
distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE USAGE 
directoryOperation )

On an existing entry, you can ask for only the operational attributes with the 
'+' modifier, e.g.:

[bgmilne@tiger ~]$ ldapsearch -x -LLL uid=bgmilne '+'
dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
structuralObjectClass: inetOrgPerson
entryUUID: 8b74bea0-f20d-101e-8cdf-6105b6f2f478
creatorsName: uid=account admin,ou=system accounts,dc=ranger,dc=dnsailas,dc=co
 m
createTimestamp: 19960203002836Z
pwdPolicySubentry: cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=co
 m
pwdChangedTime: 20100319092937Z
entryCSN: 20100323080111.520646Z#000000#003#000000
modifiersName: cn=manager,dc=ranger,dc=dnsalias,dc=com
modifyTimestamp: 20100323080111Z
entryDN: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

Regards,
Buchan