How to Safely Delete Individual and Group based Password Policies

Technote (troubleshooting)


Problem(Abstract)

When attempting to remove Individual and Group Password Policies you encounter error:
DSA is unwilling to perform

Symptom

Attempt to to delete Individual and Group based Password Policies that are currently in use.

For example:
idsldapdelete -p 2389 -D cn=root -w secret -k -f del-pwd.ldif
>> Deleting entry cn=user10_pwd_policy,cn=ibmpolicies
ldap_delete: DSA is unwilling to perform

where: del-pwd.ldif
cn=user10_pwd_policy,cn=ibmpolicies

and

idsldapdelete -p 2389 -D cn=root -w secret -k -f del-pwd-2.ldif
>> Deleting entry cn=Testgroup_pwd_policy,cn=ibmpolicies
ldap_delete: DSA is unwilling to perform

where: del-pwd-2.ldif
cn=Testgroup_pwd_policy,cn=ibmpolicies

Errors in the ibmslapd.log:

--------------------------------
02/13/13 08:47:38 GLPRDB105E The password policy entry CN=USER10_PWD_POLICY,CN=IBMPOLICIES is in use and cannot be renamed or deleted.
02/13/13 08:48:25 GLPRDB105E The password policy entry CN=USER10_PWD_POLICY,CN=IBMPOLICIES is in use and cannot be renamed or deleted.

Cause

Once a password policy entry has been referenced by a user or group entry, it cannot be renamed or deleted until the association between the entry and the user or group entry has been removed.

Resolving the problem

This is an example how to check and delete all Individual and Group Password Policies are in use:

1. While Global, Individual, and Group PwdPolicy enabled, search for all Password Policies:
For example:
# idsldapsearch -p 2389 -D cn=root -w secret -s sub -b " " objectclass=ibm-pwd*
cn=pwdpolicy,cn=ibmpolicies
objectclass=container
objectclass=pwdPolicy
objectclass=ibm-pwdPolicyExt
objectclass=ibm-pwdGroupAndIndividualPolicies
objectclass=top
cn=pwdPolicy
pwdAttribute=userPassword
pwdCheckSyntax=0
pwdGraceLoginLimit=0
pwdFailureCountInterval=0
passwordMaxRepeatedChars=0
passwordMaxConsecutiveRepeatedChars=0
pwdMinAge=0
pwdExpireWarning=0
pwdMinLength=0
passwordMinAlphaChars=0
passwordMinOtherChars=0
passwordMinDiffChars=0
pwdAllowUserChange=false
pwdMustChange=false
pwdLockoutDuration=660
ibm-pwdGroupAndIndividualEnabled=true
ibm-pwdpolicy=true
ibm-pwdPolicyStartTime=20130213143518Z
pwdinhistory=2
pwdlockout=true
pwdmaxage=7776000
pwdmaxfailure=3
pwdsafemodify=true

cn=user10_pwd_policy,cn=ibmpolicies
objectclass=container
objectclass=pwdPolicy
objectclass=ibm-pwdPolicyExt
objectclass=top
cn=user10_pwd_policy
pwdAttribute=userPassword
pwdMaxFailure=5
pwdLockout=true
pwdMustChange=false
pwdAllowUserChange=false
ibm-pwdpolicy=true
ibm-pwdpolicyStartTime=20130213143742Z

cn=Testgroup_pwd_policy,cn=ibmpolicies
objectclass=container
objectclass=pwdPolicy
objectclass=ibm-pwdPolicyExt
objectclass=top
cn=Testgroup_pwd_policy
pwdAttribute=userPassword
pwdMaxFailure=2
pwdLockout=true
pwdAllowUserChange=false
pwdMustChange=false
ibm-pwdpolicy=true
ibm-pwdpolicyStartTime=20130213144105Z


*** NOTE ***
-------------------
I have the following Password Policies:
A. Global PwdPolicy
B. Individual PwdPolicy
C Group PwdPolicy


2. Now - I want delete Individual and group Password Policies:
# cat del-pwd.ldif
cn=user10_pwd_policy,cn=ibmpolicies

Run:
# idsldapdelete -p 2389 -D cn=root -w secret -k -f del-pwd.ldif
>> Deleting entry cn=user10_pwd_policy,cn=ibmpolicies
ldap_delete: DSA is unwilling to perform

and

# cat del-pwd-2.ldif
cn=Testgroup_pwd_policy,cn=ibmpolicies

Run:
# idsldapdelete -p 2389 -D cn=root -w secret -k -f del-pwd-2.ldif
>> Deleting entry cn=Testgroup_pwd_policy,cn=ibmpolicies
ldap_delete: DSA is unwilling to perform


Errors in ibmslapd.log:
--------------------------
:
02/13/13 08:47:38 GLPRDB105E The password policy entry CN=USER10_PWD_POLICY,CN=IBMPOLICIES is in use and cannot be renamed or deleted.

02/13/13 09:26:04 GLPRDB105E The password policy entry CN=TESTGROUP_PWD_POLICY,CN=IBMPOLICIES is in use and cannot be renamed or deleted.



3. I've already associated the Individual PwdPolicy to user(s) and want to find out who were associated to the Individual PwdPolicy so I can de-associate them:
A. I can search for particular user(s) - for example:
# idsldapsearch -p 2389 -D cn=root -w secret -s base -b "uid=user10,ou=Houston,o=ibm,c=us"
objectclass=* ibm-pwdIndividualPolicyDN
>> uid=user10,ou=Houston,o=ibm,c=us
ibm-pwdIndividualPolicyDN=cn=user10_pwd_policy, cn=ibmpolicies

B. Or I can search for all users - for example:
# idsldapsearch -p 2389 -D cn=root -w secret -b o=ibm,c=us objectclass=*
ibm-pwdIndividualPolicyDN >> pwdOut.txt

Then edit and search for them in the file: pwdOut.txt - I will see like this:

uid=user10,ou=Houston,o=ibm,c=us
ibm-pwdIndividualPolicyDN=cn=user10_pwd_policy,cn=ibmpolicies

C. Or I can search for attribute: ibm-pwdIndividualPolicyDN - for example:
# grep -i ibm-pwdIndividualPolicyDN pwdOut.txt
>> ibm-pwdIndividualPolicyDN=cn=user10_pwd_policy,cn=ibmpolicies

4. I've already associated the Group PwdPolicty to a group(s) and want to find out all groups
were associated to the Group PwdPolicy so I can de-associate them:
A. I can search for a particular group - for example:
# idsldapsearch -p 2389 -Dcn=root -w secret -b "cn=Testgroup,ou=Houston,o=IBM,c=US"
objectclass=* ibm-pwdGroupPolicyDN
>> cn=Testgroup,ou=Houston,o=IBM,c=US
ibm-pwdGroupPolicyDN=cn=Testgroup_pwd_policy,cn=ibmpolicies

B. Or I can search for all groups:
# idsldapsearch -p 2389 -D cn=root -w secret -b o=ibm,c=us objectclass=*
ibm-allGroups ibm-pwdGroupPolicyDN
>> cn=Testgroup,ou=Houston,o=IBM,c=US
ibm-pwdGroupPolicyDN=cn=Testgroup_pwd_policy,cn=ibmpolicies


5. Now - I de-associate the Individual PwdPolicy for the user:
# cat de-assign.ldif
dn:uid=user10,ou=Houston,o=ibm,c=us
changetype:modify
delete:ibm-pwdIndividualPolicyDN

Run:
# idsldapmodify -p 2389 -D cn=root -w secret -k -f de-assign.ldif
>> Operation 0 modifying entry uid=user10,ou=Houston,o=ibm,c=us

Check him out:
# idsldapsearch -p 25389 -D cn=root -w secret -s base -b "uid=user10,ou=Houston,o=ibm,c=us"
objectclass=* ibm-pwdIndividualPolicyDN
>> uid=user10,ou=Houston,o=ibm,c=us

6. Now - I de-associate the Group PwdPolicy for the group:
# cat de-assign-grp.ldif
dn:cn=Testgroup,ou=Houston,o=IBM,c=US
changetype:modify
delete:ibm-pwdGroupPolicyDN

Run:
# idsldapmodify -p 2389 -D cn=root -w secret -k -f de-assign-grp.ldif
>> Operation 0 modifying entry cn=Testgroup,ou=Houston,o=IBM,c=US

Check it out:
# idsldapsearch -p 2389 -Dcn=root -w secret -b "cn=Testgroup,ou=Houston,o=IBM,c=US" objectclass=* bm-pwdGroupPolicyDN
>> cn=Testgroup,ou=Houston,o=IBM,c=US


7. Now - I try to delete the Individual and group Password Policies:
# idsldapdelete -p 2389 -D cn=root -w secret -k -f /tvo/work/del-pwd.ldif
>> Deleting entry cn=user10_pwd_policy,cn=ibmpolicies

and

# idsldapdelete -p 2389 -D cn=root -w secret -k -f /tvo/work/del-pwd-2.ldif
>> Deleting entry cn=Testgroup_pwd_policy,cn=ibmpolicies

Check them out:
# idsldapsearch -p 2389 -D cn=root -w secret -s sub -b " " objectclass=ibm-pwd*
cn=pwdpolicy,cn=ibmpolicies
objectclass=container
objectclass=pwdPolicy
objectclass=ibm-pwdPolicyExt
objectclass=ibm-pwdGroupAndIndividualPolicies
objectclass=top
cn=pwdPolicy
pwdAttribute=userPassword
pwdCheckSyntax=0
pwdGraceLoginLimit=0
pwdFailureCountInterval=0
passwordMaxRepeatedChars=0
passwordMaxConsecutiveRepeatedChars=0
pwdMinAge=0
pwdExpireWarning=0
pwdMinLength=0
passwordMinAlphaChars=0
passwordMinOtherChars=0
passwordMinDiffChars=0
pwdAllowUserChange=false
pwdMustChange=false
pwdLockoutDuration=660
ibm-pwdGroupAndIndividualEnabled=true
ibm-pwdpolicy=true
ibm-pwdPolicyStartTime=20130213151004Z
pwdinhistory=2
pwdlockout=true
pwdmaxage=7776000
pwdmaxfailure=3
pwdsafemodify=true

*** ONLY the Global PwdPolicy is remained.


Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security Directory Server

Software version:

6.1, 6.2, 6.3

Operating system(s):

All Platforms

Reference #:

1625413

Modified date:

2013-02-13

Translate my page

Machine Translation

Content navigation