directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: [ApacheDS] looking for simple config for password policy enforcement.
Date Tue, 04 Oct 2011 19:31:09 GMT
Have fixed this, please verify with the latest trunk source and let us know.
Thanks for reporting

On Tue, Oct 4, 2011 at 11:13 AM, Kiran Ayyagari <kayyagari@apache.org> wrote:
> I have found the issue and filed a report[1]
> Will let you know after committing the fix(approx. 2 hours).
> Appreciate your patience
>
> [1] https://issues.apache.org/jira/browse/DIRSERVER-1665
>
> On Tue, Oct 4, 2011 at 10:00 AM, Kiran Ayyagari <kayyagari@apache.org> wrote:
>> am currently looking at this issue, will let you know as soon as I find
>>
>> On Tue, Oct 4, 2011 at 9:39 AM,  <Carlo.Accorsi@ibs-ag.com> wrote:
>>> Hi,
>>> 1.) Installed clean Apache DS 2.0.0-M3 with default instance - OK
>>> 2.) Import LDIF of my own JDBM partition. - OK
>>> 3.) Import LDIF root DSE for my new partition - OK
>>> 4.) Import LDIF for my own password policy - OK
>>> 5.) Import LDIF user in my new partition with pwdPolicySubEntry set for policy
in step 4. - OK
>>> 6.) Try and modify any attribute of user imported in step 5 and the exception
below is thrown.
>>>
>>> Any ideas?
>>>
>>> // step 5 result
>>> #!RESULT OK
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-10-04T09:30:33.945
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: add
>>> employeeNumber: jsmith
>>> initials: w
>>> sn: Smith
>>> objectClass: inetOrgPerson
>>> objectClass: organizationalPerson
>>> objectClass: person
>>> objectClass: top
>>> mail: null@locahost
>>> givenName: John
>>> uid: 1286309809117
>>> pwdPolicySubEntry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>>> cn: Smith, John
>>> displayName: Smith, John
>>> userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y6Y1hzdmJ2dTg9
>>>
>>> // step 6, change givenName
>>> #!RESULT ERROR
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-10-04T09:30:47.177
>>> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST
Message ID : 14     Modify Request         Object : 'uid=1286309809117,ou=users,ou=int,o=cpro'
            Modification[0]                 Operation :  replace        
        Modification     givenName: John2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@86392ad2:
ERR_333 Unexpected exception.]
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: modify
>>> replace: givenName
>>> givenName: John2
>>>
>>>
>>> //  ldif of my password policy
>>> dn: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>>> objectclass: top
>>> objectclass: ads-base
>>> objectclass: ads-passwordPolicy
>>> ads-pwdattribute: userPassword
>>> ads-pwdid: cproext
>>> ads-enabled: TRUE
>>> ads-pwdallowuserchange: TRUE
>>> ads-pwdcheckquality: 1
>>> ads-pwdexpirewarning: 600
>>> ads-pwdfailurecountinterval: 30
>>> ads-pwdgraceauthnlimit: 5
>>> ads-pwdgraceexpire: 0
>>> ads-pwdinhistory: 5
>>> ads-pwdlockout: TRUE
>>> ads-pwdlockoutduration: 0
>>> ads-pwdmaxage: 0
>>> ads-pwdmaxdelay: 0
>>> ads-pwdmaxfailure: 5
>>> ads-pwdmaxidle: 0
>>> ads-pwdmaxlength: 0
>>> ads-pwdminage: 0
>>> ads-pwdmindelay: 0
>>> ads-pwdminlength: 5
>>> ads-pwdmustchange: FALSE
>>> ads-pwdsafemodify: FALSE
>>>
>>> Thank you!!
>>>
>>>
>>> -----Original Message-----
>>> From: Carlo.Accorsi@ibs-ag.com [mailto:Carlo.Accorsi@ibs-ag.com]
>>> Sent: Friday, September 30, 2011 5:05 PM
>>> To: users@directory.apache.org
>>> Subject: RE: [ApacheDS] looking for simple config for password policy enforcement.
>>>
>>> Hi, and thank you for your response.
>>>
>>> I've been able to create a second policy all along, however I kept running into
the same problem when trying to add the 'pwdPolicySubentry'   to an existing user.
>>> Is it possible to modify the  pwdPolicySubentry  attribute on an existing user?
>>>  The schema browser shows that the  attribute has a read-only flag, ( NO-USER-MODIFICATION
 )
>>>
>>> #!RESULT ERROR
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-09-30T16:16:01.784
>>> #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType
: MODIFY_REQUEST Message ID : 31     Modify Request         Object : 'uid=1286309809116,ou=users,ou=int,o=cpro'
            Modification[0]                 Operation :  add          
      Modification     pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@4b131069: ERR_52 Cannot modify
the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23  NAME 'pwdPolicySubentry'  DESC
The pwdPolicy subentry in effect for this object  EQUALITY distinguishedNameMatch  SYNTAX
1.3.6.1.4.1.1466.115.121.1.12  SINGLE-VALUE  NO-USER-MODIFICATION  USAGE directoryOperation
 ) ]
>>> dn: uid=1286309809116,ou=users,ou=int,o=cpro
>>> changetype: modify
>>> add: pwdPolicySubentry
>>> pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
ig
>>>
>>>
>>> Anyway, I then tried a NEW user and set pwdPolicySubentry and this worked, however,
>>>
>>> #!RESULT OK
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-09-30T16:31:17.973
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: add
>>> sn: Accorsi
>>> objectClass: organizationalPerson
>>> objectClass: person
>>> objectClass: inetOrgPerson
>>> objectClass: top
>>> mail: null
>>> givenName: Carlo
>>> uid: 1286309809117
>>> cn: Accorsi, Carlo
>>> displayName: Accorsi, Carlo
>>> pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
ig
>>> userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09
>>>
>>> Now when any type of modification is made to the entry  a LOOP_DETECT exception
is thrown.
>>>
>>> #!RESULT ERROR
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-09-30T16:45:33.245
>>> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST
Message ID : 21     Modify Request         Object : 'uid=1286309809117,ou=users,ou=int,o=cpro'
            Modification[0]                 Operation :  replace        
        Modification     givenName: Carlo2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@902ef1ad:
ERR_333 Unexpected exception.]
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: modify
>>> replace: givenName
>>> givenName: Carlo2
>>>
>>> Thinking this was because there were two policies, I decided to delete the default
password policy. Not smart, now the uid=admin,ou=system user can no longer bind..
>>>
>>> I'm starting over but can you see anything I'm missing?
>>>
>>> I know my ads-pwdcheckquality =  2 in my new policy.
>>>
>>> Thanks,
>>> Carlo Accorsi
>>>
>>> -----Original Message-----
>>> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran
Ayyagari
>>> Sent: Friday, September 30, 2011 3:39 PM
>>> To: users@directory.apache.org
>>> Subject: Re: [ApacheDS] looking for simple config for password policy enforcement.
>>>
>>> On Fri, Sep 30, 2011 at 12:23 PM,  <Carlo.Accorsi@ibs-ag.com> wrote:
>>>> I would like to apply and enforce two different password policies to two
different sub trees (that share the same root).
>>>>
>>>> I see where the policies (I think ) are supposed to go.
>>>> ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=int
>>>> erceptors,ads-directoryServiceId=default,ou=config
>>>>
>>> correct place
>>>> The question is how does this policy then get linked or applied to a user?
>>>>
>>>> In other directory servers, the pwdPolicy schema defines the policy object
and all the supporting attributes (min/max pw length, etc).
>>>> Then the pwdPolicySubentry  attribute (on the user object) refers to the
DN of the policy object and this is how it's enforced.
>>>>
>>>> I can't seem to make the connection in ApacheDS how this occurs?
>>>> I've tried creating  ads-passwordPolicy object at the subtree level of my
users. Doesn't work.
>>>> I've tried creating a simple pwdPolicy object but it cannot be saved because
there's no structural objectclass associate with it.
>>>>
>>> no, this won't work, just create another policy under the above mentioned DN
with a name like ads-pwdId=custom and for enforcing this for a specific user:
>>> add 'pwdPolicySubEntry' attribute with the value set to the custom pwdpolicy
entry's DN
>>>
>>> Note that the default password policy(ads-pwdId=default) is applicable for all
other user entries which doesn't have a 'pwdPolicySubEntry'
>>> attribute specified.
>>>
>>>> Even if the functionality isn't fully implemented, I'd like to structure
the directory correctly. Your help is most appreciated.
>>>>
>>> please let us know if you have any other questions
>>>
>>> HTH
>>>
>>> --
>>> Kiran Ayyagari
>>>
>>
>>
>>
>> --
>> Kiran Ayyagari
>>
>
>
>
> --
> Kiran Ayyagari
>



-- 
Kiran Ayyagari

Mime
View raw message