directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sumit goyal <sumit.goya...@gmail.com>
Subject Re: Restting the password for admin user
Date Wed, 23 Sep 2009 02:58:05 GMT
Finally was able to change the admin password.

While working on the server.xml, a question came up in my mind, what is the
difference between these 2 stanzas in xml.

  <defaultDirectoryService id="directoryService" instanceId="default"
                           workingDirectory="rdsinst"
                           allowAnonymousAccess="false"
                           accessControlEnabled="true"
                           denormalizeOpAttrsEnabled="false">



  <apacheDS id="apacheDS"
            synchPeriodMillis="15000"
            allowAnonymousAccess="false">

    <directoryService>#directoryService</directoryService>
    <ldapService>#ldapService</ldapService>
    <ldapsService>#ldapsService</ldapsService>
  </apacheDS>


What if we have conflicting value for 'allowAnonymousAccess' in these?

thanks
Sumit
Charles de Gaulle<http://www.brainyquote.com/quotes/authors/c/charles_de_gaulle.html>
- "The better I get to know men, the more I find myself loving dogs."

On Tue, Sep 22, 2009 at 11:48 PM, Alex Karasulu <akarasulu@gmail.com> wrote:

> Ahhh yeah let us know how that goes.
>
> Alex
>
> On Tue, Sep 22, 2009 at 7:18 PM, sumit goyal <sumit.goyal84@gmail.com
> >wrote:
>
> > Hi Alex,
> >
> > Thanks for your response.
> >
> > DefaultAuthorizationService was already commented out.
> >
> > I changed accessControlEnabled to "false". It worked like a charm. I
> guess
> > I
> > would be able to complete the reset operation now.
> >
> > Thanks again!
> > Sumit
> > Ogden Nash <http://www.brainyquote.com/quotes/authors/o/ogden_nash.html>
> >  -
> > "The trouble with a kitten is that when it grows up, it's always a cat."
> >
> > On Tue, Sep 22, 2009 at 9:24 PM, Alex Karasulu <akarasulu@gmail.com>
> > wrote:
> >
> > > Comment out the DefaultAuthorizationService if you have the interceptor
> > > chain defined in your server.xml file.  This is what is causing the
> > > insufficient rights exception.
> > >
> > > Alex
> > >
> > > On Tue, Sep 22, 2009 at 6:52 PM, sumit goyal <sumit.goyal84@gmail.com
> > > >wrote:
> > >
> > > > Hi,
> > > >
> > > > Thanks for your answers.
> > > >
> > > > I was able to start the ADS 1.5.4 server after changing
> > > > "allowAnonymousAccess" to true. I can connect to this server using
> > apache
> > > > directory studio, without specifying any authentication.
> > > >
> > > > But when i browse to an entry and try to change value of an
> attribute,
> > I
> > > > get
> > > > following error on studio. Looks like its a permission issue that I
> > have
> > > > hit
> > > > now.
> > > >
> > > > Error while modifying value
> > > >  - [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for
> > > Modify
> > > > Reques
> > > >  javax.naming.NoPermissionException: [LDAP: error code 50 -
> > > > INSUFFICIENT_ACCESS_RIGHTS: failed for     Modify Request
> > > >        Object :
> > > >
> > > >
> > >
> >
> '0.9.2342.19200300.100.1.1=tdsadmin,2.5.4.11=people,0.9.2342.19200300.100.1.25=test,0.9.2342.19200300.100.1.25=com'
> > > >            Modification[0]
> > > >                Operation :  replace
> > > >                Modification
> > > >    rdsisuseraccountlocked: 43265
> > > > : null]; remaining name 'uid=tdsadmin,ou=People,dc=test,dc=com'
> > > >    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3008)
> > > >    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2946)
> > > >    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2752)
> > > >    at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1452)
> > > >    at
> > > >
> > > >
> > >
> >
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:270)
> > > >    at
> > > >
> > > >
> > >
> >
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:187)
> > > >    at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$2.run(JNDIConnectionWrapper.java:494)
> > > >    at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1116)
> > > >    at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1047)
> > > >    at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.modifyEntry(JNDIConnectionWrapper.java:534)
> > > >    at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.ldapbrowser.core.jobs.ModifyValueJob.modifyValue(ModifyValueJob.java:190)
> > > >    at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.ldapbrowser.core.jobs.ModifyValueJob.executeAttributeModificationJob(ModifyValueJob.java:90)
> > > >    at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.ldapbrowser.core.jobs.AbstractAttributeModificationJob.executeNotificationJob(AbstractAttributeModificationJob.java:46)
> > > >    at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.ldapbrowser.core.jobs.AbstractNotificationJob.executeAsyncJob(AbstractNotificationJob.java:43)
> > > >    at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.ldapbrowser.core.jobs.AbstractEclipseJob.run(AbstractEclipseJob.java:101)
> > > >    at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
> > > >
> > > >  [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for
> > Modify
> > > > Request
> > > >        Object :
> > > >
> > > >
> > >
> >
> '0.9.2342.19200300.100.1.1=tdsadmin,2.5.4.11=people,0.9.2342.19200300.100.1.25=test,0.9.2342.19200300.100.1.25=com'
> > > >            Modification[0]
> > > >                Operation :  replace
> > > >                Modification
> > > >    rdsisuseraccountlocked: 43265
> > > > : null]
> > > >
> > > > Any ideas?
> > > >
> > > > Regards
> > > > Sumit
> > > > Joan Crawford<
> > > > http://www.brainyquote.com/quotes/authors/j/joan_crawford.html>
> > > > - "I, Joan Crawford, I believe in the dollar. Everything I earn, I
> > > > spend."
> > > >
> > > > On Sat, Sep 19, 2009 at 8:04 PM, Alex Karasulu <akarasulu@gmail.com>
> > > > wrote:
> > > >
> > > > > On Sat, Sep 19, 2009 at 4:36 PM, Stefan Zoerner <stefan@labeo.de>
> > > wrote:
> > > > >
> > > > > > Alex Karasulu wrote:
> > > > > >
> > > > > >> The administrator entry is just like any other entry and
the
> > > > > userPassword
> > > > > >> field is like any other attribute.   You can use these LDAP
> client
> > > > tools
> > > > > >> to
> > > > > >> update this attribute just the same way even on your SUN
machine
> > > since
> > > > > >> this
> > > > > >> goes over the wire.
> > > > > >>
> > > > > >> Hence this mechanism also works for ApacheDS however note
that
> > > you'll
> > > > > need
> > > > > >> either the SUN or the OpenLDAP client since we don't have
> command
> > > line
> > > > > >> tools.
> > > > > >>
> > > > > >
> > > > > > I assume the question is: How to reset the password, if
> forgotten.
> > > The
> > > > > only
> > > > > > idea I currently have:
> > > > > >
> > > > > > - Allow anonymous bind with complete authorization.
> > > > > > - Reset the password attribute, just as Alex proposes
> > > > > > - disallow anonymous bind with complete authorization.
> > > > > >
> > > > > > But I am not sure, whether opening the server that way is
> possible
> > > (be
> > > > > sure
> > > > > > that it is not available over the wire for others at that time).
> > > > > >
> > > > > >
> > > > > If you've forgotten the administrator password and cannot bind to
> > reset
> > > > > then
> > > > > Stefan is absolutely right about having to open up the server.
>  There
> > > are
> > > > 2
> > > > > things you'll need to do.  Remove all the authorization
> interceptors
> > > and
> > > > > enable anonymous binds.  This way you'll be able to have anyone
> reset
> > > the
> > > > > administrator password.  Then you can re-enable the authorization
> and
> > > > shut
> > > > > off anonymous binds.  It would be nice to have some self service
> > > > > applications to run in the embedded Jetty container now that we
> have
> > > the
> > > > > container integrated.  This would make it really easy for users to
> > > manage
> > > > > and reset their passwords.
> > > > >
> > > > > Really I recommend setting the admin password to something and
> > stowing
> > > it
> > > > > away.  You can elevate regular users to administrator status by
> > putting
> > > > > them
> > > > > in the Administrator group.  The authorization subsystem checks to
> > see
> > > if
> > > > > users are in this group to give them administrator rights.
> > > > >
> > > > > Regards,
> > > > > --
> > > > > Alex Karasulu
> > > > > My Blog :: http://www.jroller.com/akarasulu/
> > > > > Apache Directory Server :: http://directory.apache.org
> > > > > Apache MINA :: http://mina.apache.org
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Alex Karasulu
> > > My Blog :: http://www.jroller.com/akarasulu/
> > > Apache Directory Server :: http://directory.apache.org
> > > Apache MINA :: http://mina.apache.org
> > >
> >
>
>
>
> --
> Alex Karasulu
> My Blog :: http://www.jroller.com/akarasulu/
> Apache Directory Server :: http://directory.apache.org
> Apache MINA :: http://mina.apache.org
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message