tags:

views:

245

answers:

3

For some reason my LDAP search doesn't seem to be returning all the attributes available for a given DN.

Using the folling code:

DirContext ctx = new InitialDirContext(mEnv);
DirContext obj = (DirContext)ctx.lookup(dn);
Attributes attrs = obj.getAttributes(new CompositeName(""));

(Where mEnv is a valid Properties class, and dn is a valid DN)

I'm getting back just 7 attributes ("cn", "orclpassword", "objectclass", "mail", "authpassword;orclcommonpwd", "userpassword", "sn"), whereas I can see in Oracle Directory Manager that there are many more (including "orclIsEnabled" and "pwdaccountlockedtime")

Is anyone able to shed any light on the "missing" attributes.

(Note: my experience with LDAP is pretty limited)

Thanks :-)

+2  A: 

There are 2 basic possibilities why an LDAP search will not return attributes you know are there:

  1. You don't have permission to see them (check access control information, or bind as a more privileged user)

  2. They are defined as "operational" (internal) attributes that are not returned by default, but will be present if you ask for them by name (by using the version of getAttributes() that takes an array of attribute names).

David Gelhar
Thank you. Am binding as orcladmin, so pretty sure it's not #1. About to try #2.
cagcowboy
Still no joy I'm afraid. I turned up what might be the answer on an blog... see my answer. Thanks for trying!
cagcowboy
If you a looking for the password policy, you do have to explicitly ask for it, just like David said.
Dave
A: 

Came across this:

"oracle doesn't expose the needed attributes via the OID LDAP interface."

http://blog.mikesidoti.com/2007/05/how-to-query-oid-to-find-expired.html

cagcowboy
A: 

pwdaccountlockedtime is definitely an operational attribute according to the documentation.

Querying the underlying database (as in your link) should be a last resort.

Andrew Strong