Using OUD Transformations to expose Operational attributes as Regular ones

Some (badly written) LDAP client applications expect to get operational attributes along with regular attributes when they search the directory w/o specifying attributes explicitely. The LDAP standards specify that operation attributes have to be explicitely requested in the search request. Alternatively, the special character + can be used to retrieve all the operational attributes w/o specifying explictely one by one.

OUD adheres to the LDAP standard, so operational attributes must be explicitely specified in a search request.
A specific option to facilitate migration from other directories can be used to expose schema related attributes (objectclasses, attributeTypes) as regular attributes. This option is described in one of my posts at

However, others operational attributes are not exposed. Don’t worry, OUD transformations framework can help you to solve this specific integration problem:

Say you have an client application that expects the (operational)  pwdChangedTime attribute to be returned systematically as a user attribute.

First, setup a OUD proxy. The client application in question will point to that proxy, but others applications will not be subject to the (non-standard) directory server behaviour.

Then create a Add Outbound Transformation as below:

dsconfig create-transformation \
–set client-attribute:pwdChangedTime=%pwdChangedTime% \
–type add-outbound-attribute \
–transformation-name Mymap \ 

Then put that transformation to a transformation workflow element:

dsconfig create-workflow-element \
–set enabled:true \
–set next-workflow-element:userRoot\
–set transformation:myMap \
–type transformations \
–element-name myTransfo \ 

Insert your transformation workflow element to the appropriate workflow:

dsconfig set-workflow-prop \
–workflow-name workflow1 \
–set workflow-element:myTransfo \ 

Update the OUD Proxy schema, so that the pwdChangedTime is no longer declared as Operational. All you need to do is remove the  Usage DirectoryOperation and the NO-USER-MODICATION flag. Either modify the schema via LDAP or use the procedure below:

stop the OUD proxy
copy default schema
cp <OUD_HOME>/config/schema/01-pwpolicy.ldif <OUD_PROXY_INSTANCE>/OUD/config/schema
edit <OUD_PROXY_INSTANCE>/OUD/config/schema and change the pwdChangedTime definition as below:

 attributeTypes: ( NAME ‘pwdChangedTime’
DESC ‘The time the password was last changed’ EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch SYNTAX
X-ORIGIN ‘draft-behera-ldap-password-policy’ )

restart the OUD proxy

At that stage, pwdChangedTime will be returned by a LDAP search with attribute list set to * or empty.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s