directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carlo Accorsi (JIRA)" <>
Subject [jira] [Created] (DIRSERVER-1750) Change password attribute with policy throws exception and does not complete operation
Date Fri, 05 Oct 2012 14:32:02 GMT
Carlo Accorsi created DIRSERVER-1750:

             Summary: Change password attribute with policy throws exception and does not
complete operation
                 Key: DIRSERVER-1750
             Project: Directory ApacheDS
          Issue Type: Bug
          Components: changepw
    Affects Versions: 2.0.0-M8
         Environment: Win32, Java 1.6.0_32
            Reporter: Carlo Accorsi
            Priority: Critical

Hi, we're receiving an exception when a user tries to reset their own expired password on
a grace login.

Relevant password policy fields:
ads-maxage=600 // expire password in 5 mins
ads-passwordmustchange=TRUE // causes pwdReset=TRUE on entry when ADMIN, not USER changes

ads-graceauthnlimit=5 // how many logins are permitted once password expires. 

Once the password has expired (as defined above) a subsequent bind as the user, will cause
a pwdGraceUseTime attribute to be set with time stamp of the login. This works great. When
the field is present, we are able to get the # of gracelogins that remain from the response

The issue occurs when at least one pwdGraceUseTime field set and binding as themselves, they
try to set the password. The password is set correctly (becasue logging in later with the
new password works) however an exception thrown (below) while trying to remove the field pwdReset.
This field is not and should not be there in this case as the password was only expired, it
was not reset by an admin. The code seems to be looking to delete this field and probably
the grace login fields afterwards but does not.  Perhaps the code to remove the field could
check for NoSuchAttributeException and continue as if it were deleted.  Thanks!!

Here is the code snip. 

	ModificationItem[] mods = new ModificationItem[1];
		mods[0] = new ModificationItem(LdapContext.REPLACE_ATTRIBUTE, new BasicAttribute("userPassword",
			try {
				// set control in here. 
				ctx.setRequestControls(new Control[]{new PasswordPolicyRqControl()});	
				ctx.modifyAttributes(strDn, mods);
			} catch (InvalidAttributeValueException iae){
			} catch (NoSuchAttributeException nae){

Exception [LDAP: error code 16 - NO_SUCH_ATTRIBUTE:
failed for MessageType : MODIFY_REQUEST
Message ID : 2
    Modify Request
        Object : 'uid=1307087872588,ou=users,ou=int,o=cpro'
                Operation :  replace
    userPassword: '0x23 0x62 0x6F 0x73 0x74 0x6F 0x6E 0x31 '
   ManageDsaITImpl Control
        Type OID    : '2.16.840.1.113730.3.4.2'
        Criticality : 'false'
: ERR_55 Trying to remove an non-existant attribute: ATTRIBUTE_TYPE (
 NAME 'pwdReset'
 DESC The indication that the password has been reset
 EQUALITY booleanMatch
 USAGE directoryOperation
]; remaining name 'uid=1307087872588,ou=users,ou=int,o=cpro'
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(
	at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(
	at com.ibsamericainc.dir.DirectoryAdapterConnection.setAttribute(
	at com.ibsamericainc.dir.DirectoryAdapterPassword.setUpdatePassword(
	at com.ibsamericainc.dir.DirectoryAdapter.setUpdateUserPassword(
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(
	at java.lang.reflect.Method.invoke(

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message