directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Carlo.Acco...@ibs-ag.com>
Subject RE: [ApacheDS] looking for simple config for password policy enforcement.
Date Tue, 04 Oct 2011 20:58:31 GMT
Hi Kiran, yes this worked. Thank you very much. 

Regards,
Carlo Accorsi

-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Tuesday, October 04, 2011 3:31 PM
To: users@directory.apache.org
Subject: Re: [ApacheDS] looking for simple config for password policy enforcement.

Have fixed this, please verify with the latest trunk source and let us know.
Thanks for reporting

On Tue, Oct 4, 2011 at 11:13 AM, Kiran Ayyagari <kayyagari@apache.org> wrote:
> I have found the issue and filed a report[1] Will let you know after 
> committing the fix(approx. 2 hours).
> Appreciate your patience
>
> [1] https://issues.apache.org/jira/browse/DIRSERVER-1665
>
> On Tue, Oct 4, 2011 at 10:00 AM, Kiran Ayyagari <kayyagari@apache.org> wrote:
>> am currently looking at this issue, will let you know as soon as I 
>> find
>>
>> On Tue, Oct 4, 2011 at 9:39 AM,  <Carlo.Accorsi@ibs-ag.com> wrote:
>>> Hi,
>>> 1.) Installed clean Apache DS 2.0.0-M3 with default instance - OK
>>> 2.) Import LDIF of my own JDBM partition. - OK
>>> 3.) Import LDIF root DSE for my new partition - OK
>>> 4.) Import LDIF for my own password policy - OK
>>> 5.) Import LDIF user in my new partition with pwdPolicySubEntry set 
>>> for policy in step 4. - OK
>>> 6.) Try and modify any attribute of user imported in step 5 and the exception
below is thrown.
>>>
>>> Any ideas?
>>>
>>> // step 5 result
>>> #!RESULT OK
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-10-04T09:30:33.945
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: add
>>> employeeNumber: jsmith
>>> initials: w
>>> sn: Smith
>>> objectClass: inetOrgPerson
>>> objectClass: organizationalPerson
>>> objectClass: person
>>> objectClass: top
>>> mail: null@locahost
>>> givenName: John
>>> uid: 1286309809117
>>> pwdPolicySubEntry: 
>>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticati
>>> onInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
>>> ig
>>> cn: Smith, John
>>> displayName: Smith, John
>>> userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y6Y1hzdmJ2dTg9
>>>
>>> // step 6, change givenName
>>> #!RESULT ERROR
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-10-04T09:30:47.177
>>> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : 
>>> MODIFY_REQUEST Message ID : 14     Modify Request         Object : 
>>> 'uid=1286309809117,ou=users,ou=int,o=cpro'             
>>> Modification[0]                 Operation :  replace          
      
>>> Modification     givenName: John2 
>>> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@863
>>> 92ad2: ERR_333 Unexpected exception.]
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: modify
>>> replace: givenName
>>> givenName: John2
>>>
>>>
>>> //  ldif of my password policy
>>> dn: 
>>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticati
>>> onInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
>>> ig
>>> objectclass: top
>>> objectclass: ads-base
>>> objectclass: ads-passwordPolicy
>>> ads-pwdattribute: userPassword
>>> ads-pwdid: cproext
>>> ads-enabled: TRUE
>>> ads-pwdallowuserchange: TRUE
>>> ads-pwdcheckquality: 1
>>> ads-pwdexpirewarning: 600
>>> ads-pwdfailurecountinterval: 30
>>> ads-pwdgraceauthnlimit: 5
>>> ads-pwdgraceexpire: 0
>>> ads-pwdinhistory: 5
>>> ads-pwdlockout: TRUE
>>> ads-pwdlockoutduration: 0
>>> ads-pwdmaxage: 0
>>> ads-pwdmaxdelay: 0
>>> ads-pwdmaxfailure: 5
>>> ads-pwdmaxidle: 0
>>> ads-pwdmaxlength: 0
>>> ads-pwdminage: 0
>>> ads-pwdmindelay: 0
>>> ads-pwdminlength: 5
>>> ads-pwdmustchange: FALSE
>>> ads-pwdsafemodify: FALSE
>>>
>>> Thank you!!
>>>
>>>
>>> -----Original Message-----
>>> From: Carlo.Accorsi@ibs-ag.com [mailto:Carlo.Accorsi@ibs-ag.com]
>>> Sent: Friday, September 30, 2011 5:05 PM
>>> To: users@directory.apache.org
>>> Subject: RE: [ApacheDS] looking for simple config for password policy enforcement.
>>>
>>> Hi, and thank you for your response.
>>>
>>> I've been able to create a second policy all along, however I kept running into
the same problem when trying to add the 'pwdPolicySubentry'   to an existing user.
>>> Is it possible to modify the  pwdPolicySubentry  attribute on an existing user?
>>>  The schema browser shows that the  attribute has a read-only flag, 
>>> ( NO-USER-MODIFICATION  )
>>>
>>> #!RESULT ERROR
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-09-30T16:16:01.784
>>> #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed 
>>> for MessageType : MODIFY_REQUEST Message ID : 31     Modify Request      
  
>>> Object : 'uid=1286309809116,ou=users,ou=int,o=cpro'             
>>> Modification[0]                 Operation :  add              
  
>>> Modification     pwdPolicySubentry: 
>>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticati
>>> onInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
>>> ig 
>>> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@4b1
>>> 31069: ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( 
>>> 1.3.6.1.4.1.42.2.27.8.1.23  NAME 'pwdPolicySubentry'  DESC The 
>>> pwdPolicy subentry in effect for this object  EQUALITY 
>>> distinguishedNameMatch  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12  
>>> SINGLE-VALUE  NO-USER-MODIFICATION  USAGE directoryOperation  ) ]
>>> dn: uid=1286309809116,ou=users,ou=int,o=cpro
>>> changetype: modify
>>> add: pwdPolicySubentry
>>> pwdPolicySubentry: 
>>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticati
>>> onInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf 
>>> ig
>>>
>>>
>>> Anyway, I then tried a NEW user and set pwdPolicySubentry and this 
>>> worked, however,
>>>
>>> #!RESULT OK
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-09-30T16:31:17.973
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: add
>>> sn: Accorsi
>>> objectClass: organizationalPerson
>>> objectClass: person
>>> objectClass: inetOrgPerson
>>> objectClass: top
>>> mail: null
>>> givenName: Carlo
>>> uid: 1286309809117
>>> cn: Accorsi, Carlo
>>> displayName: Accorsi, Carlo
>>> pwdPolicySubentry: 
>>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticati
>>> onInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf 
>>> ig
>>> userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09
>>>
>>> Now when any type of modification is made to the entry  a LOOP_DETECT exception
is thrown.
>>>
>>> #!RESULT ERROR
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-09-30T16:45:33.245
>>> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : 
>>> MODIFY_REQUEST Message ID : 21     Modify Request         Object : 
>>> 'uid=1286309809117,ou=users,ou=int,o=cpro'             
>>> Modification[0]                 Operation :  replace          
      
>>> Modification     givenName: Carlo2 
>>> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@902
>>> ef1ad: ERR_333 Unexpected exception.]
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: modify
>>> replace: givenName
>>> givenName: Carlo2
>>>
>>> Thinking this was because there were two policies, I decided to delete the default
password policy. Not smart, now the uid=admin,ou=system user can no longer bind..
>>>
>>> I'm starting over but can you see anything I'm missing?
>>>
>>> I know my ads-pwdcheckquality =  2 in my new policy.
>>>
>>> Thanks,
>>> Carlo Accorsi
>>>
>>> -----Original Message-----
>>> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On 
>>> Behalf Of Kiran Ayyagari
>>> Sent: Friday, September 30, 2011 3:39 PM
>>> To: users@directory.apache.org
>>> Subject: Re: [ApacheDS] looking for simple config for password policy enforcement.
>>>
>>> On Fri, Sep 30, 2011 at 12:23 PM,  <Carlo.Accorsi@ibs-ag.com> wrote:
>>>> I would like to apply and enforce two different password policies to two
different sub trees (that share the same root).
>>>>
>>>> I see where the policies (I think ) are supposed to go.
>>>> ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=
>>>> int erceptors,ads-directoryServiceId=default,ou=config
>>>>
>>> correct place
>>>> The question is how does this policy then get linked or applied to a user?
>>>>
>>>> In other directory servers, the pwdPolicy schema defines the policy object
and all the supporting attributes (min/max pw length, etc).
>>>> Then the pwdPolicySubentry  attribute (on the user object) refers to the
DN of the policy object and this is how it's enforced.
>>>>
>>>> I can't seem to make the connection in ApacheDS how this occurs?
>>>> I've tried creating  ads-passwordPolicy object at the subtree level of my
users. Doesn't work.
>>>> I've tried creating a simple pwdPolicy object but it cannot be saved because
there's no structural objectclass associate with it.
>>>>
>>> no, this won't work, just create another policy under the above mentioned DN
with a name like ads-pwdId=custom and for enforcing this for a specific user:
>>> add 'pwdPolicySubEntry' attribute with the value set to the custom 
>>> pwdpolicy entry's DN
>>>
>>> Note that the default password policy(ads-pwdId=default) is applicable for all
other user entries which doesn't have a 'pwdPolicySubEntry'
>>> attribute specified.
>>>
>>>> Even if the functionality isn't fully implemented, I'd like to structure
the directory correctly. Your help is most appreciated.
>>>>
>>> please let us know if you have any other questions
>>>
>>> HTH
>>>
>>> --
>>> Kiran Ayyagari
>>>
>>
>>
>>
>> --
>> Kiran Ayyagari
>>
>
>
>
> --
> Kiran Ayyagari
>



--
Kiran Ayyagari

Mime
View raw message