Return-Path: Delivered-To: apmail-directory-users-archive@www.apache.org Received: (qmail 56298 invoked from network); 22 Sep 2009 18:19:02 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 22 Sep 2009 18:19:02 -0000 Received: (qmail 83496 invoked by uid 500); 22 Sep 2009 18:19:02 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 83445 invoked by uid 500); 22 Sep 2009 18:19:02 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 83435 invoked by uid 99); 22 Sep 2009 18:19:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Sep 2009 18:19:01 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of akarasulu@gmail.com designates 209.85.211.178 as permitted sender) Received: from [209.85.211.178] (HELO mail-yw0-f178.google.com) (209.85.211.178) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Sep 2009 18:18:52 +0000 Received: by ywh8 with SMTP id 8so126432ywh.16 for ; Tue, 22 Sep 2009 11:18:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=lz80nHxb/GJRtlr6WoR3H/F0JiJH3RZm4b9PoTTZ8DQ=; b=L3d54yOnRHb8fZ9dpuM0bhsYa5O2yoV0gKAcW/a3Ga47IO195h7nkt+2WQNxxrhWUx 1vOExJbcREae0Z4DJF0qI0X//IEMZU9KeVPzBbmsuEy+klGGk8ekNROnKtlKXghOpoUs cbrESgKoPT1BUGI714UVp7/Ut3GOCTltibFBk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=DfihRvQe0QbV4EJBmp7f3CjRH1zbazk71vApM6mxg6yglCseS44h0tu12bv7SvJJUr WsEgYzmS/bNOcfOV064vWmQPgCbtvB6yAMMtVMGP+JRy96yfVY6AW20WjZMaIsTe/RFN OMSZD7ugNETtrv3EZj9qsuRWVtN/FAiwvjha0= MIME-Version: 1.0 Received: by 10.100.17.14 with SMTP id 14mr1295392anq.163.1253643511231; Tue, 22 Sep 2009 11:18:31 -0700 (PDT) In-Reply-To: <477691310909220918i1443edd0v53c7bb83b698d4be@mail.gmail.com> References: <477691310909172226x7fa53afejb41613b0d3fa0137@mail.gmail.com> <4AB4DE5B.2080204@labeo.de> <477691310909220852l4802cb32sd730da33278bf77a@mail.gmail.com> <477691310909220918i1443edd0v53c7bb83b698d4be@mail.gmail.com> Date: Tue, 22 Sep 2009 21:18:31 +0300 Message-ID: Subject: Re: Restting the password for admin user From: Alex Karasulu To: users@directory.apache.org Content-Type: multipart/alternative; boundary=0016e6469d282974ac04742ea0f1 X-Virus-Checked: Checked by ClamAV on apache.org --0016e6469d282974ac04742ea0f1 Content-Type: text/plain; charset=ISO-8859-1 Ahhh yeah let us know how that goes. Alex On Tue, Sep 22, 2009 at 7:18 PM, sumit goyal wrote: > Hi Alex, > > Thanks for your response. > > DefaultAuthorizationService was already commented out. > > I changed accessControlEnabled to "false". It worked like a charm. I guess > I > would be able to complete the reset operation now. > > Thanks again! > Sumit > Ogden Nash > - > "The trouble with a kitten is that when it grows up, it's always a cat." > > On Tue, Sep 22, 2009 at 9:24 PM, Alex Karasulu > wrote: > > > Comment out the DefaultAuthorizationService if you have the interceptor > > chain defined in your server.xml file. This is what is causing the > > insufficient rights exception. > > > > Alex > > > > On Tue, Sep 22, 2009 at 6:52 PM, sumit goyal > >wrote: > > > > > Hi, > > > > > > Thanks for your answers. > > > > > > I was able to start the ADS 1.5.4 server after changing > > > "allowAnonymousAccess" to true. I can connect to this server using > apache > > > directory studio, without specifying any authentication. > > > > > > But when i browse to an entry and try to change value of an attribute, > I > > > get > > > following error on studio. Looks like its a permission issue that I > have > > > hit > > > now. > > > > > > Error while modifying value > > > - [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for > > Modify > > > Reques > > > javax.naming.NoPermissionException: [LDAP: error code 50 - > > > INSUFFICIENT_ACCESS_RIGHTS: failed for Modify Request > > > Object : > > > > > > > > > '0.9.2342.19200300.100.1.1=tdsadmin,2.5.4.11=people,0.9.2342.19200300.100.1.25=test,0.9.2342.19200300.100.1.25=com' > > > Modification[0] > > > Operation : replace > > > Modification > > > rdsisuseraccountlocked: 43265 > > > : null]; remaining name 'uid=tdsadmin,ou=People,dc=test,dc=com' > > > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3008) > > > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2946) > > > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2752) > > > at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1452) > > > at > > > > > > > > > com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:270) > > > at > > > > > > > > > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:187) > > > at > > > > > > > > > org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$2.run(JNDIConnectionWrapper.java:494) > > > at > > > > > > > > > org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1116) > > > at > > > > > > > > > org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1047) > > > at > > > > > > > > > org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.modifyEntry(JNDIConnectionWrapper.java:534) > > > at > > > > > > > > > org.apache.directory.studio.ldapbrowser.core.jobs.ModifyValueJob.modifyValue(ModifyValueJob.java:190) > > > at > > > > > > > > > org.apache.directory.studio.ldapbrowser.core.jobs.ModifyValueJob.executeAttributeModificationJob(ModifyValueJob.java:90) > > > at > > > > > > > > > org.apache.directory.studio.ldapbrowser.core.jobs.AbstractAttributeModificationJob.executeNotificationJob(AbstractAttributeModificationJob.java:46) > > > at > > > > > > > > > org.apache.directory.studio.ldapbrowser.core.jobs.AbstractNotificationJob.executeAsyncJob(AbstractNotificationJob.java:43) > > > at > > > > > > > > > org.apache.directory.studio.ldapbrowser.core.jobs.AbstractEclipseJob.run(AbstractEclipseJob.java:101) > > > at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55) > > > > > > [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for > Modify > > > Request > > > Object : > > > > > > > > > '0.9.2342.19200300.100.1.1=tdsadmin,2.5.4.11=people,0.9.2342.19200300.100.1.25=test,0.9.2342.19200300.100.1.25=com' > > > Modification[0] > > > Operation : replace > > > Modification > > > rdsisuseraccountlocked: 43265 > > > : null] > > > > > > Any ideas? > > > > > > Regards > > > Sumit > > > Joan Crawford< > > > http://www.brainyquote.com/quotes/authors/j/joan_crawford.html> > > > - "I, Joan Crawford, I believe in the dollar. Everything I earn, I > > > spend." > > > > > > On Sat, Sep 19, 2009 at 8:04 PM, Alex Karasulu > > > wrote: > > > > > > > On Sat, Sep 19, 2009 at 4:36 PM, Stefan Zoerner > > wrote: > > > > > > > > > Alex Karasulu wrote: > > > > > > > > > >> The administrator entry is just like any other entry and the > > > > userPassword > > > > >> field is like any other attribute. You can use these LDAP client > > > tools > > > > >> to > > > > >> update this attribute just the same way even on your SUN machine > > since > > > > >> this > > > > >> goes over the wire. > > > > >> > > > > >> Hence this mechanism also works for ApacheDS however note that > > you'll > > > > need > > > > >> either the SUN or the OpenLDAP client since we don't have command > > line > > > > >> tools. > > > > >> > > > > > > > > > > I assume the question is: How to reset the password, if forgotten. > > The > > > > only > > > > > idea I currently have: > > > > > > > > > > - Allow anonymous bind with complete authorization. > > > > > - Reset the password attribute, just as Alex proposes > > > > > - disallow anonymous bind with complete authorization. > > > > > > > > > > But I am not sure, whether opening the server that way is possible > > (be > > > > sure > > > > > that it is not available over the wire for others at that time). > > > > > > > > > > > > > > If you've forgotten the administrator password and cannot bind to > reset > > > > then > > > > Stefan is absolutely right about having to open up the server. There > > are > > > 2 > > > > things you'll need to do. Remove all the authorization interceptors > > and > > > > enable anonymous binds. This way you'll be able to have anyone reset > > the > > > > administrator password. Then you can re-enable the authorization and > > > shut > > > > off anonymous binds. It would be nice to have some self service > > > > applications to run in the embedded Jetty container now that we have > > the > > > > container integrated. This would make it really easy for users to > > manage > > > > and reset their passwords. > > > > > > > > Really I recommend setting the admin password to something and > stowing > > it > > > > away. You can elevate regular users to administrator status by > putting > > > > them > > > > in the Administrator group. The authorization subsystem checks to > see > > if > > > > users are in this group to give them administrator rights. > > > > > > > > Regards, > > > > -- > > > > Alex Karasulu > > > > My Blog :: http://www.jroller.com/akarasulu/ > > > > Apache Directory Server :: http://directory.apache.org > > > > Apache MINA :: http://mina.apache.org > > > > > > > > > > > > > > > -- > > Alex Karasulu > > My Blog :: http://www.jroller.com/akarasulu/ > > Apache Directory Server :: http://directory.apache.org > > Apache MINA :: http://mina.apache.org > > > -- Alex Karasulu My Blog :: http://www.jroller.com/akarasulu/ Apache Directory Server :: http://directory.apache.org Apache MINA :: http://mina.apache.org --0016e6469d282974ac04742ea0f1--