directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject RE: [ApacheDS] looking for simple config for password policy enforcement.
Date Fri, 30 Sep 2011 21:04:50 GMT
Hi, and thank you for your response. 

I've been able to create a second policy all along, however I kept running into the same problem
when trying to add the 'pwdPolicySubentry'   to an existing user. 
Is it possible to modify the  pwdPolicySubentry  attribute on an existing user?
 The schema browser shows that the  attribute has a read-only flag, ( NO-USER-MODIFICATION

#!CONNECTION ldap://localhost:10389
#!DATE 2011-09-30T16:16:01.784
#!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST
Message ID : 31     Modify Request         Object : 'uid=1286309809116,ou=users,ou=int,o=cpro'
            Modification[0]                 Operation :  add                 Modification
    pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config ERR_52 Cannot modify
the attribute : ATTRIBUTE_TYPE (  NAME 'pwdPolicySubentry'  DESC
The pwdPolicy subentry in effect for this object  EQUALITY distinguishedNameMatch  SYNTAX  SINGLE-VALUE  NO-USER-MODIFICATION  USAGE directoryOperation
 ) ]
dn: uid=1286309809116,ou=users,ou=int,o=cpro
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf

Anyway, I then tried a NEW user and set pwdPolicySubentry and this worked, however, 

#!CONNECTION ldap://localhost:10389
#!DATE 2011-09-30T16:31:17.973
dn: uid=1286309809117,ou=users,ou=int,o=cpro
changetype: add
sn: Accorsi
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
mail: null
givenName: Carlo
uid: 1286309809117
cn: Accorsi, Carlo
displayName: Accorsi, Carlo
pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09

Now when any type of modification is made to the entry  a LOOP_DETECT exception is thrown.

#!CONNECTION ldap://localhost:10389
#!DATE 2011-09-30T16:45:33.245
#!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST Message
ID : 21     Modify Request         Object : 'uid=1286309809117,ou=users,ou=int,o=cpro'   
         Modification[0]                 Operation :  replace                 Modification
    givenName: Carlo2
ERR_333 Unexpected exception.]
dn: uid=1286309809117,ou=users,ou=int,o=cpro
changetype: modify
replace: givenName
givenName: Carlo2

Thinking this was because there were two policies, I decided to delete the default password
policy. Not smart, now the uid=admin,ou=system user can no longer bind.. 

I'm starting over but can you see anything I'm missing? 

I know my ads-pwdcheckquality =  2 in my new policy. 

Carlo Accorsi

-----Original Message-----
From: [] On Behalf Of Kiran Ayyagari
Sent: Friday, September 30, 2011 3:39 PM
Subject: Re: [ApacheDS] looking for simple config for password policy enforcement.

On Fri, Sep 30, 2011 at 12:23 PM,  <> wrote:
> I would like to apply and enforce two different password policies to two different sub
trees (that share the same root).
> I see where the policies (I think ) are supposed to go.
> ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=int
> erceptors,ads-directoryServiceId=default,ou=config
correct place
> The question is how does this policy then get linked or applied to a user?
> In other directory servers, the pwdPolicy schema defines the policy object and all the
supporting attributes (min/max pw length, etc).
> Then the pwdPolicySubentry  attribute (on the user object) refers to the DN of the policy
object and this is how it's enforced.
> I can't seem to make the connection in ApacheDS how this occurs?
> I've tried creating  ads-passwordPolicy object at the subtree level of my users. Doesn't
> I've tried creating a simple pwdPolicy object but it cannot be saved because there's
no structural objectclass associate with it.
no, this won't work, just create another policy under the above mentioned DN with a name like
ads-pwdId=custom and for enforcing this for a specific user:
add 'pwdPolicySubEntry' attribute with the value set to the custom pwdpolicy entry's DN

Note that the default password policy(ads-pwdId=default) is applicable for all other user
entries which doesn't have a 'pwdPolicySubEntry'
attribute specified.

> Even if the functionality isn't fully implemented, I'd like to structure the directory
correctly. Your help is most appreciated.
please let us know if you have any other questions


Kiran Ayyagari

View raw message