By Sylvain Duloutre-Oracle on Oct 02, 2014
Some (badly written) LDAP client applications expect to get operational attributes along with regular attributes when they search the directory w/o specifying attributes explicitely. The LDAP standards specify that operation attributes have to be explicitely requested in the search request. Alternatively, the special character + can be used to retrieve all the operational attributes w/o specifying explictely one by one.
OUD adheres to the LDAP standard, so operational attributes must be explicitely specified in a search request.
A specific option to facilitate migration from other directories can be used to expose schema related attributes (objectclasses, attributeTypes) as regular attributes. This option is described in one of my posts at https://blogs.oracle.com/sduloutr/entry/oracle_unified_directory_root_dse
However, others operational attributes are not exposed. Don't worry, OUD transformations framework can help you to solve this specific integration problem:
Say you have an client application that expects the (operational) pwdChangedTime attribute to be returned systematically as a user attribute.
First, setup a OUD proxy. The client application in question will point to that proxy, but others applications will not be subject to the (non-standard) directory server behaviour.
Then create a Add Outbound Transformation as below:
dsconfig create-transformation \
--set client-attribute:pwdChangedTime=%pwdChangedTime% \
--type add-outbound-attribute \
--transformation-name Mymap \
Then put that transformation to a transformation workflow element:
dsconfig create-workflow-element \
--set enabled:true \
--set transformation:myMap \
--type transformations \
--element-name myTransfo \
Insert your transformation workflow element to the appropriate workflow:
dsconfig set-workflow-prop \
--workflow-name workflow1 \
--set workflow-element:myTransfo \
Update the OUD Proxy schema, so that the pwdChangedTime is no longer declared as Operational. All you need to do is remove the Usage DirectoryOperation and the NO-USER-MODICATION flag. Either modify the schema via LDAP or use the procedure below:
stop the OUD proxy
copy default schema
cp <OUD_HOME>/config/schema/01-pwpolicy.ldif <OUD_PROXY_INSTANCE>/OUD/config/schema
edit <OUD_PROXY_INSTANCE>/OUD/config/schema and change the pwdChangedTime definition as below:
attributeTypes: ( 22.214.171.124.126.96.36.199.188.8.131.52 NAME 'pwdChangedTime'
DESC 'The time the password was last changed' EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch SYNTAX 184.108.40.206.4.1.14220.127.116.11.24
X-ORIGIN 'draft-behera-ldap-password-policy' )
restart the OUD proxy
At that stage, pwdChangedTime will be returned by a LDAP search with attribute list set to * or empty.