directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRSERVER-1830) when ads-pwdMaxIdle > 0 no more authentication possible
Date Mon, 06 May 2013 17:02:17 GMT

    [ https://issues.apache.org/jira/browse/DIRSERVER-1830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13649867#comment-13649867
] 

Emmanuel Lecharny commented on DIRSERVER-1830:
----------------------------------------------

Here are the two places where we use the pwdMaxIdle :

bind : 
            if ( policyConfig.getPwdMaxIdle() > 0 )
            {
                Attribute pwdLastSuccesTimeAt = new DefaultAttribute( AT_PWD_LAST_SUCCESS
);
                pwdLastSuccesTimeAt.add( DateUtils.getGeneralizedTime() );
                Modification pwdLastSuccesTimeMod = new DefaultModification( REPLACE_ATTRIBUTE,
pwdLastSuccesTimeAt );
                mods.add( pwdLastSuccesTimeMod );
            }

We get the date the password was last modified, we update it with the current date. No check
here.

and in the checkPwdPolicy method, which is called when we lookup the password :

        if ( pPolicyConfig.getPwdMaxIdle() > 0 )
        {
            Attribute pwdLastSuccessTimeAttr = userEntry.get( PWD_LAST_SUCCESS_AT );

            // Let's be sure that the user has already logged in
            if ( pwdLastSuccessTimeAttr != null )
            {
                long time = pPolicyConfig.getPwdMaxIdle() * 1000L;
                time += DateUtils.getDate( pwdLastSuccessTimeAttr.getString() ).getTime();

                if ( System.currentTimeMillis() >= time )
                {
                    throw new PasswordPolicyException(
                        "account locked due to the max idle time of the password was exceeded",
                        ACCOUNT_LOCKED.getValue() );
                }
            }
        }

Here, we get the time the user successfully authenticated, we add the pwdMaxIdle time to it
and we compare this date with the current date.

I don't see anything that would forbid an authentication :/

Can you setup the logs on the server in debug mode ?
                
> when ads-pwdMaxIdle > 0 no more authentication possible
> -------------------------------------------------------
>
>                 Key: DIRSERVER-1830
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1830
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: ldap
>    Affects Versions: 2.0.0-M11
>         Environment: CentOS
>            Reporter: Michael Witzel
>
> when I configure ads-pwdMaxIdle > 0 no authentication is possible, neither with admin,
nor with other users
> Eclipse Studio:
> Fehler beim Öffnen der Verbindung
>  - [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate
user uid=admin,ou=system]
> java.lang.Exception: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229
Cannot authenticate user uid=admin,ou=system]
> 	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1279)
> 	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$600(DirectoryApiConnectionWrapper.java:109)
> 	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:450)
> 	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1174)
> 	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:459)
> 	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:307)
> 	at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
> 	at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
> 	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:53)
> [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate
user uid=admin,ou=system]
> wrapper.log
> INFO   | jvm 1    | 2013/04/18 14:24:06 | [14:24:06] ERROR 
> [org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler] - ERR_169 failed
to unbind session properly
> INFO   | jvm 1    | 2013/04/18 14:24:06 | org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException:
ERR_268 Cannot find a partition for 
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.getPartition(DefaultPartitionNexus.java:927)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.unbind(DefaultPartitionNexus.java:794)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unbind(BaseInterceptor.java:266)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:690)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.directory.server.core.authn.AuthenticationInterceptor.unbind(AuthenticationInterceptor.java:1159)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.directory.server.core.DefaultOperationManager.unbind(DefaultOperationManager.java:1230)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.directory.server.core.shared.DefaultCoreSession.unbind(DefaultCoreSession.java:1073)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler.handle(UnbindRequestHandler.java:50)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler.handle(UnbindRequestHandler.java:38)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:219)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428)
> INFO   | jvm 1    | 2013/04/18 14:24:06 |       at java.lang.Thread.run(Thread.java:662)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message