directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: [ApacheDS] looking for simple config for password policy enforcement.
Date Tue, 04 Oct 2011 15:13:09 GMT
I have found the issue and filed a report[1]
Will let you know after committing the fix(approx. 2 hours).
Appreciate your patience

[1] https://issues.apache.org/jira/browse/DIRSERVER-1665

On Tue, Oct 4, 2011 at 10:00 AM, Kiran Ayyagari <kayyagari@apache.org> wrote:
> am currently looking at this issue, will let you know as soon as I find
>
> On Tue, Oct 4, 2011 at 9:39 AM,  <Carlo.Accorsi@ibs-ag.com> wrote:
>> Hi,
>> 1.) Installed clean Apache DS 2.0.0-M3 with default instance - OK
>> 2.) Import LDIF of my own JDBM partition. - OK
>> 3.) Import LDIF root DSE for my new partition - OK
>> 4.) Import LDIF for my own password policy - OK
>> 5.) Import LDIF user in my new partition with pwdPolicySubEntry set for policy in
step 4. - OK
>> 6.) Try and modify any attribute of user imported in step 5 and the exception below
is thrown.
>>
>> Any ideas?
>>
>> // step 5 result
>> #!RESULT OK
>> #!CONNECTION ldap://localhost:10389
>> #!DATE 2011-10-04T09:30:33.945
>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>> changetype: add
>> employeeNumber: jsmith
>> initials: w
>> sn: Smith
>> objectClass: inetOrgPerson
>> objectClass: organizationalPerson
>> objectClass: person
>> objectClass: top
>> mail: null@locahost
>> givenName: John
>> uid: 1286309809117
>> pwdPolicySubEntry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>> cn: Smith, John
>> displayName: Smith, John
>> userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y6Y1hzdmJ2dTg9
>>
>> // step 6, change givenName
>> #!RESULT ERROR
>> #!CONNECTION ldap://localhost:10389
>> #!DATE 2011-10-04T09:30:47.177
>> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST
Message ID : 14     Modify Request         Object : 'uid=1286309809117,ou=users,ou=int,o=cpro'
            Modification[0]                 Operation :  replace        
        Modification     givenName: John2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@86392ad2:
ERR_333 Unexpected exception.]
>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>> changetype: modify
>> replace: givenName
>> givenName: John2
>>
>>
>> //  ldif of my password policy
>> dn: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>> objectclass: top
>> objectclass: ads-base
>> objectclass: ads-passwordPolicy
>> ads-pwdattribute: userPassword
>> ads-pwdid: cproext
>> ads-enabled: TRUE
>> ads-pwdallowuserchange: TRUE
>> ads-pwdcheckquality: 1
>> ads-pwdexpirewarning: 600
>> ads-pwdfailurecountinterval: 30
>> ads-pwdgraceauthnlimit: 5
>> ads-pwdgraceexpire: 0
>> ads-pwdinhistory: 5
>> ads-pwdlockout: TRUE
>> ads-pwdlockoutduration: 0
>> ads-pwdmaxage: 0
>> ads-pwdmaxdelay: 0
>> ads-pwdmaxfailure: 5
>> ads-pwdmaxidle: 0
>> ads-pwdmaxlength: 0
>> ads-pwdminage: 0
>> ads-pwdmindelay: 0
>> ads-pwdminlength: 5
>> ads-pwdmustchange: FALSE
>> ads-pwdsafemodify: FALSE
>>
>> Thank you!!
>>
>>
>> -----Original Message-----
>> From: Carlo.Accorsi@ibs-ag.com [mailto:Carlo.Accorsi@ibs-ag.com]
>> Sent: Friday, September 30, 2011 5:05 PM
>> To: users@directory.apache.org
>> Subject: RE: [ApacheDS] looking for simple config for password policy enforcement.
>>
>> Hi, and thank you for your response.
>>
>> I've been able to create a second policy all along, however I kept running into the
same problem when trying to add the 'pwdPolicySubentry'   to an existing user.
>> Is it possible to modify the  pwdPolicySubentry  attribute on an existing user?
>>  The schema browser shows that the  attribute has a read-only flag, ( NO-USER-MODIFICATION
 )
>>
>> #!RESULT ERROR
>> #!CONNECTION ldap://localhost:10389
>> #!DATE 2011-09-30T16:16:01.784
>> #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType
: MODIFY_REQUEST Message ID : 31     Modify Request         Object : 'uid=1286309809116,ou=users,ou=int,o=cpro'
            Modification[0]                 Operation :  add          
      Modification     pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@4b131069: ERR_52 Cannot modify
the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23  NAME 'pwdPolicySubentry'  DESC
The pwdPolicy subentry in effect for this object  EQUALITY distinguishedNameMatch  SYNTAX
1.3.6.1.4.1.1466.115.121.1.12  SINGLE-VALUE  NO-USER-MODIFICATION  USAGE directoryOperation
 ) ]
>> dn: uid=1286309809116,ou=users,ou=int,o=cpro
>> changetype: modify
>> add: pwdPolicySubentry
>> pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
ig
>>
>>
>> Anyway, I then tried a NEW user and set pwdPolicySubentry and this worked, however,
>>
>> #!RESULT OK
>> #!CONNECTION ldap://localhost:10389
>> #!DATE 2011-09-30T16:31:17.973
>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>> changetype: add
>> sn: Accorsi
>> objectClass: organizationalPerson
>> objectClass: person
>> objectClass: inetOrgPerson
>> objectClass: top
>> mail: null
>> givenName: Carlo
>> uid: 1286309809117
>> cn: Accorsi, Carlo
>> displayName: Accorsi, Carlo
>> pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
ig
>> userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09
>>
>> Now when any type of modification is made to the entry  a LOOP_DETECT exception
is thrown.
>>
>> #!RESULT ERROR
>> #!CONNECTION ldap://localhost:10389
>> #!DATE 2011-09-30T16:45:33.245
>> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST
Message ID : 21     Modify Request         Object : 'uid=1286309809117,ou=users,ou=int,o=cpro'
            Modification[0]                 Operation :  replace        
        Modification     givenName: Carlo2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@902ef1ad:
ERR_333 Unexpected exception.]
>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>> changetype: modify
>> replace: givenName
>> givenName: Carlo2
>>
>> Thinking this was because there were two policies, I decided to delete the default
password policy. Not smart, now the uid=admin,ou=system user can no longer bind..
>>
>> I'm starting over but can you see anything I'm missing?
>>
>> I know my ads-pwdcheckquality =  2 in my new policy.
>>
>> Thanks,
>> Carlo Accorsi
>>
>> -----Original Message-----
>> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran
Ayyagari
>> Sent: Friday, September 30, 2011 3:39 PM
>> To: users@directory.apache.org
>> Subject: Re: [ApacheDS] looking for simple config for password policy enforcement.
>>
>> On Fri, Sep 30, 2011 at 12:23 PM,  <Carlo.Accorsi@ibs-ag.com> wrote:
>>> I would like to apply and enforce two different password policies to two different
sub trees (that share the same root).
>>>
>>> I see where the policies (I think ) are supposed to go.
>>> ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=int
>>> erceptors,ads-directoryServiceId=default,ou=config
>>>
>> correct place
>>> The question is how does this policy then get linked or applied to a user?
>>>
>>> In other directory servers, the pwdPolicy schema defines the policy object and
all the supporting attributes (min/max pw length, etc).
>>> Then the pwdPolicySubentry  attribute (on the user object) refers to the DN
of the policy object and this is how it's enforced.
>>>
>>> I can't seem to make the connection in ApacheDS how this occurs?
>>> I've tried creating  ads-passwordPolicy object at the subtree level of my users.
Doesn't work.
>>> I've tried creating a simple pwdPolicy object but it cannot be saved because
there's no structural objectclass associate with it.
>>>
>> no, this won't work, just create another policy under the above mentioned DN with
a name like ads-pwdId=custom and for enforcing this for a specific user:
>> add 'pwdPolicySubEntry' attribute with the value set to the custom pwdpolicy entry's
DN
>>
>> Note that the default password policy(ads-pwdId=default) is applicable for all other
user entries which doesn't have a 'pwdPolicySubEntry'
>> attribute specified.
>>
>>> Even if the functionality isn't fully implemented, I'd like to structure the
directory correctly. Your help is most appreciated.
>>>
>> please let us know if you have any other questions
>>
>> HTH
>>
>> --
>> Kiran Ayyagari
>>
>
>
>
> --
> Kiran Ayyagari
>



-- 
Kiran Ayyagari

Mime
View raw message