directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: [ApacheDS] looking for simple config for password policy enforcement.
Date Tue, 04 Oct 2011 14:00:58 GMT
am currently looking at this issue, will let you know as soon as I find

On Tue, Oct 4, 2011 at 9:39 AM,  <Carlo.Accorsi@ibs-ag.com> wrote:
> Hi,
> 1.) Installed clean Apache DS 2.0.0-M3 with default instance - OK
> 2.) Import LDIF of my own JDBM partition. - OK
> 3.) Import LDIF root DSE for my new partition - OK
> 4.) Import LDIF for my own password policy - OK
> 5.) Import LDIF user in my new partition with pwdPolicySubEntry set for policy in step
4. - OK
> 6.) Try and modify any attribute of user imported in step 5 and the exception below is
thrown.
>
> Any ideas?
>
> // step 5 result
> #!RESULT OK
> #!CONNECTION ldap://localhost:10389
> #!DATE 2011-10-04T09:30:33.945
> dn: uid=1286309809117,ou=users,ou=int,o=cpro
> changetype: add
> employeeNumber: jsmith
> initials: w
> sn: Smith
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> mail: null@locahost
> givenName: John
> uid: 1286309809117
> pwdPolicySubEntry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> cn: Smith, John
> displayName: Smith, John
> userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y6Y1hzdmJ2dTg9
>
> // step 6, change givenName
> #!RESULT ERROR
> #!CONNECTION ldap://localhost:10389
> #!DATE 2011-10-04T09:30:47.177
> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST Message
ID : 14     Modify Request         Object : 'uid=1286309809117,ou=users,ou=int,o=cpro'
            Modification[0]                 Operation :  replace        
        Modification     givenName: John2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@86392ad2:
ERR_333 Unexpected exception.]
> dn: uid=1286309809117,ou=users,ou=int,o=cpro
> changetype: modify
> replace: givenName
> givenName: John2
>
>
> //  ldif of my password policy
> dn: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> objectclass: top
> objectclass: ads-base
> objectclass: ads-passwordPolicy
> ads-pwdattribute: userPassword
> ads-pwdid: cproext
> ads-enabled: TRUE
> ads-pwdallowuserchange: TRUE
> ads-pwdcheckquality: 1
> ads-pwdexpirewarning: 600
> ads-pwdfailurecountinterval: 30
> ads-pwdgraceauthnlimit: 5
> ads-pwdgraceexpire: 0
> ads-pwdinhistory: 5
> ads-pwdlockout: TRUE
> ads-pwdlockoutduration: 0
> ads-pwdmaxage: 0
> ads-pwdmaxdelay: 0
> ads-pwdmaxfailure: 5
> ads-pwdmaxidle: 0
> ads-pwdmaxlength: 0
> ads-pwdminage: 0
> ads-pwdmindelay: 0
> ads-pwdminlength: 5
> ads-pwdmustchange: FALSE
> ads-pwdsafemodify: FALSE
>
> Thank you!!
>
>
> -----Original Message-----
> From: Carlo.Accorsi@ibs-ag.com [mailto:Carlo.Accorsi@ibs-ag.com]
> Sent: Friday, September 30, 2011 5:05 PM
> To: users@directory.apache.org
> Subject: RE: [ApacheDS] looking for simple config for password policy enforcement.
>
> Hi, and thank you for your response.
>
> I've been able to create a second policy all along, however I kept running into the same
problem when trying to add the 'pwdPolicySubentry'   to an existing user.
> Is it possible to modify the  pwdPolicySubentry  attribute on an existing user?
>  The schema browser shows that the  attribute has a read-only flag, ( NO-USER-MODIFICATION
 )
>
> #!RESULT ERROR
> #!CONNECTION ldap://localhost:10389
> #!DATE 2011-09-30T16:16:01.784
> #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST
Message ID : 31     Modify Request         Object : 'uid=1286309809116,ou=users,ou=int,o=cpro'
            Modification[0]                 Operation :  add          
      Modification     pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@4b131069: ERR_52 Cannot modify
the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23  NAME 'pwdPolicySubentry'  DESC
The pwdPolicy subentry in effect for this object  EQUALITY distinguishedNameMatch  SYNTAX
1.3.6.1.4.1.1466.115.121.1.12  SINGLE-VALUE  NO-USER-MODIFICATION  USAGE directoryOperation
 ) ]
> dn: uid=1286309809116,ou=users,ou=int,o=cpro
> changetype: modify
> add: pwdPolicySubentry
> pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
ig
>
>
> Anyway, I then tried a NEW user and set pwdPolicySubentry and this worked, however,
>
> #!RESULT OK
> #!CONNECTION ldap://localhost:10389
> #!DATE 2011-09-30T16:31:17.973
> dn: uid=1286309809117,ou=users,ou=int,o=cpro
> changetype: add
> sn: Accorsi
> objectClass: organizationalPerson
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: top
> mail: null
> givenName: Carlo
> uid: 1286309809117
> cn: Accorsi, Carlo
> displayName: Accorsi, Carlo
> pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
ig
> userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09
>
> Now when any type of modification is made to the entry  a LOOP_DETECT exception is thrown.
>
> #!RESULT ERROR
> #!CONNECTION ldap://localhost:10389
> #!DATE 2011-09-30T16:45:33.245
> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST Message
ID : 21     Modify Request         Object : 'uid=1286309809117,ou=users,ou=int,o=cpro'
            Modification[0]                 Operation :  replace        
        Modification     givenName: Carlo2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@902ef1ad:
ERR_333 Unexpected exception.]
> dn: uid=1286309809117,ou=users,ou=int,o=cpro
> changetype: modify
> replace: givenName
> givenName: Carlo2
>
> Thinking this was because there were two policies, I decided to delete the default password
policy. Not smart, now the uid=admin,ou=system user can no longer bind..
>
> I'm starting over but can you see anything I'm missing?
>
> I know my ads-pwdcheckquality =  2 in my new policy.
>
> Thanks,
> Carlo Accorsi
>
> -----Original Message-----
> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
> Sent: Friday, September 30, 2011 3:39 PM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS] looking for simple config for password policy enforcement.
>
> On Fri, Sep 30, 2011 at 12:23 PM,  <Carlo.Accorsi@ibs-ag.com> wrote:
>> I would like to apply and enforce two different password policies to two different
sub trees (that share the same root).
>>
>> I see where the policies (I think ) are supposed to go.
>> ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=int
>> erceptors,ads-directoryServiceId=default,ou=config
>>
> correct place
>> The question is how does this policy then get linked or applied to a user?
>>
>> In other directory servers, the pwdPolicy schema defines the policy object and all
the supporting attributes (min/max pw length, etc).
>> Then the pwdPolicySubentry  attribute (on the user object) refers to the DN of the
policy object and this is how it's enforced.
>>
>> I can't seem to make the connection in ApacheDS how this occurs?
>> I've tried creating  ads-passwordPolicy object at the subtree level of my users.
Doesn't work.
>> I've tried creating a simple pwdPolicy object but it cannot be saved because there's
no structural objectclass associate with it.
>>
> no, this won't work, just create another policy under the above mentioned DN with a name
like ads-pwdId=custom and for enforcing this for a specific user:
> add 'pwdPolicySubEntry' attribute with the value set to the custom pwdpolicy entry's
DN
>
> Note that the default password policy(ads-pwdId=default) is applicable for all other
user entries which doesn't have a 'pwdPolicySubEntry'
> attribute specified.
>
>> Even if the functionality isn't fully implemented, I'd like to structure the directory
correctly. Your help is most appreciated.
>>
> please let us know if you have any other questions
>
> HTH
>
> --
> Kiran Ayyagari
>



-- 
Kiran Ayyagari

Mime
View raw message