2

OpenDS provides command-line access to many necessary account functions via its manage-account utility. For example, to disable an account:

manage-account set-account-is-disabled --operationValue true 
--baseDN uid=someuser,ou=People,dc=example,dc=com" --hostname hostname --port 389
--bindDN "cn=Directory Manager" --bindPassword password

This is fine and dandy is you have a sysadmin to administer your ldap server but in a scenario where you have 1000s of users all over the globe this becomes a problem (imagine a user locked out of their account in Japan while the sysadmin is asleep in the US). We'd like to be able to programmatically tie into some of these manage-account functions so we can provide local admins/managers the ability to manage their own users.

Can anybody provide any insight on if this is possible and if so how? We are writing this in C# and I can't find any examples on it. Looking at the .NET API docs I thought System.DirectoryServices.Protocols.ExtendedRequest looked promising but cannot figure out how to use it.

Any help would be greatly appreciated, thanks!

snappymcsnap
  • 2,050
  • 2
  • 29
  • 53

2 Answers2

1

The Manage-Account tool uses an LDAP extended operation, which code is in opends/src/server/org/opends/server/extensions/PasswordPolicyStateExtendedOperation.java.

Alternately, you can check the OpenDJ LDAP SDK, which has support for the extended operation, and will allow you to quickly write a client application. OpenDJ LDAP SDK is documented at http://opendj.forgerock.org/opendj-ldap-sdk/ (and the doc is in the developer's guide : http://opendj.forgerock.org/doc/dev-guide/OpenDJ-Dev-Guide.html).

Regards,

Ludovic

Ludovic Poitou
  • 4,788
  • 2
  • 21
  • 30
  • thanks for the tips Ludo, I was hoping it wasn't going to be that complicated and I wouldn't have to dig thru all the source code trying to pull out the pieces I needed but it seems there might be no other way. I checked out the link you posted for the OpenDJ developer guide but unfortunately the chapter on Extended Operations is still marked 'TO DO' :( – snappymcsnap Jul 06 '11 at 18:40
  • Sorry about that. Docs are work in progress. One warning, the manage-account works by default on the Administration Port (4444) which is secured by SSL. If you write your own tool, you can run on regular LDAP connection or LDAPS as you prefer. – Ludovic Poitou Jul 07 '11 at 16:17
0

The source code for manage-account is available, one can re-create the encodings from there. Also, one could set up a directory server, run manage-account, record the steps the tool takes from the access log, then write code to re-create those steps.

Terry Gardner
  • 10,957
  • 2
  • 28
  • 38