directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kiran Ayyagari (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (DIRSERVER-1750) Change password attribute with policy throws exception and does not complete operation
Date Fri, 05 Oct 2012 14:40:02 GMT

     [ https://issues.apache.org/jira/browse/DIRSERVER-1750?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Kiran Ayyagari updated DIRSERVER-1750:
--------------------------------------

    Component/s:     (was: changepw)
                 core
    
> Change password attribute with policy throws exception and does not complete operation
> --------------------------------------------------------------------------------------
>
>                 Key: DIRSERVER-1750
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1750
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.0-M8
>         Environment: Win32, Java 1.6.0_32
>            Reporter: Carlo Accorsi
>            Priority: Critical
>
> Hi, we're receiving an exception when a user tries to reset their own expired password
on a grace login.
> Relevant password policy fields:
> ads-maxage=600 // expire password in 5 mins
> ads-passwordmustchange=TRUE // causes pwdReset=TRUE on entry when ADMIN, not USER changes

> ads-graceauthnlimit=5 // how many logins are permitted once password expires. 
> Once the password has expired (as defined above) a subsequent bind as the user, will
cause a pwdGraceUseTime attribute to be set with time stamp of the login. This works great.
When the field is present, we are able to get the # of gracelogins that remain from the response
controls.
> The issue occurs when at least one pwdGraceUseTime field set and binding as themselves,
they try to set the password. The password is set correctly (becasue logging in later with
the new password works) however an exception thrown (below) while trying to remove the field
pwdReset. This field is not and should not be there in this case as the password was only
expired, it was not reset by an admin. The code seems to be looking to delete this field and
probably the grace login fields afterwards but does not.  Perhaps the code to remove the field
could check for NoSuchAttributeException and continue as if it were deleted.  Thanks!!
> Here is the code snip. 
> 	ModificationItem[] mods = new ModificationItem[1];
> 		mods[0] = new ModificationItem(LdapContext.REPLACE_ATTRIBUTE, new BasicAttribute("userPassword",
strValue));
> 			try {
> 				// set control in here. 
> 				ctx.setRequestControls(new Control[]{new PasswordPolicyRqControl()});	
> 				ctx.modifyAttributes(strDn, mods);
> 			} catch (InvalidAttributeValueException iae){
>                             iae.printStackTrace();
> 			} catch (NoSuchAttributeException nae){
>                             nae.printStackTrace();
> 			} 
> Exception
> javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - NO_SUCH_ATTRIBUTE:
failed for MessageType : MODIFY_REQUEST
> Message ID : 2
>     Modify Request
>         Object : 'uid=1307087872588,ou=users,ou=int,o=cpro'
>             Modification[0]
>                 Operation :  replace
>                 Modification
>     userPassword: '0x23 0x62 0x6F 0x73 0x74 0x6F 0x6E 0x31 '
> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@b95d19f4org.apache.directory.shared.ldap.extras.controls.ppolicy.PasswordPolicyImpl@e4d0cd
   ManageDsaITImpl Control
>         Type OID    : '2.16.840.1.113730.3.4.2'
>         Criticality : 'false'
> '
> : ERR_55 Trying to remove an non-existant attribute: ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.22
>  NAME 'pwdReset'
>  DESC The indication that the password has been reset
>  EQUALITY booleanMatch
>  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
>  SINGLE-VALUE
>  USAGE directoryOperation
>  )
> ]; remaining name 'uid=1307087872588,ou=users,ou=int,o=cpro'
> 	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3062)
> 	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
> 	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
> 	at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1455)
> 	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
> 	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
> 	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:161)
> 	at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:148)
> 	at com.ibsamericainc.dir.DirectoryAdapterConnection.setAttribute(DirectoryAdapterConnection.java:367)
> 	at com.ibsamericainc.dir.DirectoryAdapterPassword.setUpdatePassword(DirectoryAdapterPassword.java:277)
> 	at com.ibsamericainc.dir.DirectoryAdapter.setUpdateUserPassword(DirectoryAdapter.java:248)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 	at java.lang.reflect.Method.invoke(Method.java:597)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message