Symantec Access Management

  • 1.  ldapsearch for operational attribute

    Posted Oct 03, 2016 11:03 PM

    Can we get the CA DIrectory's operational attribute using a ldapsearch command?



  • 2.  Re: ldapsearch for operational attribute
    Best Answer

    Posted Oct 04, 2016 07:34 AM

    The operational attributes contained in an entry can be returned by ldapsearch by:

     

    Explicitly listing them

        ldapsearch -x -h host:port -b c=au "(oc=*)" createTimestamp modifyTimestamp

     

    Or by returning all of them with the special + character

        ldapsearch -x -h host:port -b c=au "(oc=*)" +

     

    Or all attributes including operational attributes can be returned by including "*" +

        ldapsearch -x -h host:port -b c=au "(oc=*)" "*" +

     

    Hope that helps!



  • 3.  Re: ldapsearch for operational attribute

    Posted Oct 19, 2016 02:02 PM

    I would expect to also see attributes like:

    dxPwdLastChange

    dxPwdLoginTime

    dxPwdMustChange

     

    However, they do not appear.

    What am I missing?

    -jim



  • 4.  Re: ldapsearch for operational attribute

    Posted Oct 21, 2016 02:42 AM

    Password policy attributes are treated as operational attributes, that is, maintained by the DSA and not externally. These should appear when using the suggestions above. For example,

     

    ldapsearch -x -h host:port -b ou=users,o=ca,c=au "(cn=justin)" +
    # extended LDIF
    #
    # LDAPv3
    # base <ou=users,o=ca,c=au> with scope subtree
    # filter: (cn=justin)
    # requesting: +
    #

    # justin, users, ca, au
    dn: cn=justin,ou=users,o=ca,c=au
    createTimestamp: 20160824233907.402Z
    modifyTimestamp: 20160824233917.588Z
    dxPwdLastChange: 20160824233917.588Z
    dxPwdLoginTime: 20160824233917.588Z
    dxPwdMustChange: TRUE

    # search result
    search: 2
    result: 0 Success

    # numResponses: 2
    # numEntries: 1

     

    My only other thought if they aren't returned is if password policy isn't enabled, or password policy has been recently enabled and the entries being retrieved haven't been used/updated.