Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 241DA72AA for ; Tue, 4 Oct 2011 15:13:35 +0000 (UTC) Received: (qmail 7428 invoked by uid 500); 4 Oct 2011 15:13:34 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 7392 invoked by uid 500); 4 Oct 2011 15:13:34 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 7384 invoked by uid 99); 4 Oct 2011 15:13:34 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Oct 2011 15:13:34 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ayyagarikiran@gmail.com designates 209.85.210.178 as permitted sender) Received: from [209.85.210.178] (HELO mail-iy0-f178.google.com) (209.85.210.178) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Oct 2011 15:13:29 +0000 Received: by iabz21 with SMTP id z21so873815iab.37 for ; Tue, 04 Oct 2011 08:13:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=6NhPKkH8KSh4o4jI1I/UWDee+prCsdhuq985XI38cgU=; b=q2pBoKt1ngXOIze/6tB59ogqIGOHH+i5afCfNU0LwVGI55/1Ly6tkvhG0g6wSSrZdi ALKcK08UJqYU/BN/Ndr19gFiOV1G/RRoYagYNzSzRgz2aQbWliPXUieoIouQJYOqXUNk gMirqBfZY9ENROTM0oP62X2oJy0ms82GRxpuo= MIME-Version: 1.0 Received: by 10.231.63.9 with SMTP id z9mr2343211ibh.17.1317741189256; Tue, 04 Oct 2011 08:13:09 -0700 (PDT) Sender: ayyagarikiran@gmail.com Received: by 10.231.39.198 with HTTP; Tue, 4 Oct 2011 08:13:09 -0700 (PDT) In-Reply-To: References: <2BE7E81B77921F43A6A273C2DF2FA6A43A426D8B03@IBSMBX.ibs-ag.com> <2BE7E81B77921F43A6A273C2DF2FA6A43A426D8B74@IBSMBX.ibs-ag.com> <2BE7E81B77921F43A6A273C2DF2FA6A43A426D8E4B@IBSMBX.ibs-ag.com> Date: Tue, 4 Oct 2011 11:13:09 -0400 X-Google-Sender-Auth: GvRVNLDLg2xGqQtKJK5arsUdTrs Message-ID: Subject: Re: [ApacheDS] looking for simple config for password policy enforcement. From: Kiran Ayyagari To: users@directory.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I have found the issue and filed a report[1] Will let you know after committing the fix(approx. 2 hours). Appreciate your patience [1] https://issues.apache.org/jira/browse/DIRSERVER-1665 On Tue, Oct 4, 2011 at 10:00 AM, Kiran Ayyagari wrot= e: > am currently looking at this issue, will let you know as soon as I find > > On Tue, Oct 4, 2011 at 9:39 AM, =A0 wrote: >> Hi, >> 1.) Installed clean Apache DS 2.0.0-M3 with default instance - OK >> 2.) Import LDIF of my own JDBM partition. - OK >> 3.) Import LDIF root DSE for my new partition - OK >> 4.) Import LDIF for my own password policy - OK >> 5.) Import LDIF user in my new partition with pwdPolicySubEntry set for = policy in step 4. - OK >> 6.) Try and modify any attribute of user imported in step 5 and the exce= ption below is thrown. >> >> Any ideas? >> >> // step 5 result >> #!RESULT OK >> #!CONNECTION ldap://localhost:10389 >> #!DATE 2011-10-04T09:30:33.945 >> dn: uid=3D1286309809117,ou=3Dusers,ou=3Dint,o=3Dcpro >> changetype: add >> employeeNumber: jsmith >> initials: w >> sn: Smith >> objectClass: inetOrgPerson >> objectClass: organizationalPerson >> objectClass: person >> objectClass: top >> mail: null@locahost >> givenName: John >> uid: 1286309809117 >> pwdPolicySubEntry: ads-pwdId=3Dcproext,ou=3DpasswordPolicies,ads-interce= ptorId=3DauthenticationInterceptor,ou=3Dinterceptors,ads-directoryServiceId= =3Ddefault,ou=3Dconfig >> cn: Smith, John >> displayName: Smith, John >> userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y6Y1hzdmJ2dTg9 >> >> // step 6, change givenName >> #!RESULT ERROR >> #!CONNECTION ldap://localhost:10389 >> #!DATE 2011-10-04T09:30:47.177 >> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MOD= IFY_REQUEST Message ID : 14 =A0 =A0 Modify Request =A0 =A0 =A0 =A0 Object := 'uid=3D1286309809117,ou=3Dusers,ou=3Dint,o=3Dcpro' =A0 =A0 =A0 =A0 =A0 =A0= Modification[0] =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Operation : =A0replace =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 Modification =A0 =A0 givenName: John2 org.apac= he.directory.shared.ldap.model.message.ModifyRequestImpl@86392ad2: ERR_333 = Unexpected exception.] >> dn: uid=3D1286309809117,ou=3Dusers,ou=3Dint,o=3Dcpro >> changetype: modify >> replace: givenName >> givenName: John2 >> >> >> // =A0ldif of my password policy >> dn: ads-pwdId=3Dcproext,ou=3DpasswordPolicies,ads-interceptorId=3Dauthen= ticationInterceptor,ou=3Dinterceptors,ads-directoryServiceId=3Ddefault,ou= =3Dconfig >> objectclass: top >> objectclass: ads-base >> objectclass: ads-passwordPolicy >> ads-pwdattribute: userPassword >> ads-pwdid: cproext >> ads-enabled: TRUE >> ads-pwdallowuserchange: TRUE >> ads-pwdcheckquality: 1 >> ads-pwdexpirewarning: 600 >> ads-pwdfailurecountinterval: 30 >> ads-pwdgraceauthnlimit: 5 >> ads-pwdgraceexpire: 0 >> ads-pwdinhistory: 5 >> ads-pwdlockout: TRUE >> ads-pwdlockoutduration: 0 >> ads-pwdmaxage: 0 >> ads-pwdmaxdelay: 0 >> ads-pwdmaxfailure: 5 >> ads-pwdmaxidle: 0 >> ads-pwdmaxlength: 0 >> ads-pwdminage: 0 >> ads-pwdmindelay: 0 >> ads-pwdminlength: 5 >> ads-pwdmustchange: FALSE >> ads-pwdsafemodify: FALSE >> >> Thank you!! >> >> >> -----Original Message----- >> From: Carlo.Accorsi@ibs-ag.com [mailto:Carlo.Accorsi@ibs-ag.com] >> Sent: Friday, September 30, 2011 5:05 PM >> To: users@directory.apache.org >> Subject: RE: [ApacheDS] looking for simple config for password policy en= forcement. >> >> Hi, and thank you for your response. >> >> I've been able to create a second policy all along, however I kept runni= ng into the same problem when trying to add the 'pwdPolicySubentry' =A0 to = an existing user. >> Is it possible to modify the =A0pwdPolicySubentry =A0attribute on an exi= sting user? >> =A0The schema browser shows that the =A0attribute has a read-only flag, = ( NO-USER-MODIFICATION =A0) >> >> #!RESULT ERROR >> #!CONNECTION ldap://localhost:10389 >> #!DATE 2011-09-30T16:16:01.784 >> #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for Me= ssageType : MODIFY_REQUEST Message ID : 31 =A0 =A0 Modify Request =A0 =A0 = =A0 =A0 Object : 'uid=3D1286309809116,ou=3Dusers,ou=3Dint,o=3Dcpro' =A0 =A0= =A0 =A0 =A0 =A0 Modification[0] =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Operation = : =A0add =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Modification =A0 =A0 pwdPolicySube= ntry: ads-pwdId=3Dcproext,ou=3DpasswordPolicies,ads-interceptorId=3Dauthent= icationInterceptor,ou=3Dinterceptors,ads-directoryServiceId=3Ddefault,ou=3D= config org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@4b1= 31069: ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42= .2.27.8.1.23 =A0NAME 'pwdPolicySubentry' =A0DESC The pwdPolicy subentry in = effect for this object =A0EQUALITY distinguishedNameMatch =A0SYNTAX 1.3.6.1= .4.1.1466.115.121.1.12 =A0SINGLE-VALUE =A0NO-USER-MODIFICATION =A0USAGE dir= ectoryOperation =A0) ] >> dn: uid=3D1286309809116,ou=3Dusers,ou=3Dint,o=3Dcpro >> changetype: modify >> add: pwdPolicySubentry >> pwdPolicySubentry: ads-pwdId=3Dcproext,ou=3DpasswordPolicies,ads-interce= ptorId=3DauthenticationInterceptor,ou=3Dinterceptors,ads-directoryServiceId= =3Ddefault,ou=3Dconf ig >> >> >> Anyway, I then tried a NEW user and set pwdPolicySubentry and this worke= d, however, >> >> #!RESULT OK >> #!CONNECTION ldap://localhost:10389 >> #!DATE 2011-09-30T16:31:17.973 >> dn: uid=3D1286309809117,ou=3Dusers,ou=3Dint,o=3Dcpro >> changetype: add >> sn: Accorsi >> objectClass: organizationalPerson >> objectClass: person >> objectClass: inetOrgPerson >> objectClass: top >> mail: null >> givenName: Carlo >> uid: 1286309809117 >> cn: Accorsi, Carlo >> displayName: Accorsi, Carlo >> pwdPolicySubentry: ads-pwdId=3Dcproext,ou=3DpasswordPolicies,ads-interce= ptorId=3DauthenticationInterceptor,ou=3Dinterceptors,ads-directoryServiceId= =3Ddefault,ou=3Dconf ig >> userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09 >> >> Now when any type of modification is made to the entry =A0a LOOP_DETECT = exception is thrown. >> >> #!RESULT ERROR >> #!CONNECTION ldap://localhost:10389 >> #!DATE 2011-09-30T16:45:33.245 >> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MOD= IFY_REQUEST Message ID : 21 =A0 =A0 Modify Request =A0 =A0 =A0 =A0 Object := 'uid=3D1286309809117,ou=3Dusers,ou=3Dint,o=3Dcpro' =A0 =A0 =A0 =A0 =A0 =A0= Modification[0] =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Operation : =A0replace =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 Modification =A0 =A0 givenName: Carlo2 org.apa= che.directory.shared.ldap.model.message.ModifyRequestImpl@902ef1ad: ERR_333= Unexpected exception.] >> dn: uid=3D1286309809117,ou=3Dusers,ou=3Dint,o=3Dcpro >> changetype: modify >> replace: givenName >> givenName: Carlo2 >> >> Thinking this was because there were two policies, I decided to delete t= he default password policy. Not smart, now the uid=3Dadmin,ou=3Dsystem user= can no longer bind.. >> >> I'm starting over but can you see anything I'm missing? >> >> I know my ads-pwdcheckquality =3D =A02 in my new policy. >> >> Thanks, >> Carlo Accorsi >> >> -----Original Message----- >> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf= Of Kiran Ayyagari >> Sent: Friday, September 30, 2011 3:39 PM >> To: users@directory.apache.org >> Subject: Re: [ApacheDS] looking for simple config for password policy en= forcement. >> >> On Fri, Sep 30, 2011 at 12:23 PM, =A0 wrote: >>> I would like to apply and enforce two different password policies to tw= o different sub trees (that share the same root). >>> >>> I see where the policies (I think ) are supposed to go. >>> ou=3DpasswordPolicies,ads-interceptorId=3DauthenticationInterceptor,ou= =3Dint >>> erceptors,ads-directoryServiceId=3Ddefault,ou=3Dconfig >>> >> correct place >>> The question is how does this policy then get linked or applied to a us= er? >>> >>> In other directory servers, the pwdPolicy schema defines the policy obj= ect and all the supporting attributes (min/max pw length, etc). >>> Then the pwdPolicySubentry =A0attribute (on the user object) refers to = the DN of the policy object and this is how it's enforced. >>> >>> I can't seem to make the connection in ApacheDS how this occurs? >>> I've tried creating =A0ads-passwordPolicy object at the subtree level o= f my users. Doesn't work. >>> I've tried creating a simple pwdPolicy object but it cannot be saved be= cause there's no structural objectclass associate with it. >>> >> no, this won't work, just create another policy under the above mentione= d DN with a name like ads-pwdId=3Dcustom and for enforcing this for a speci= fic user: >> add 'pwdPolicySubEntry' attribute with the value set to the custom pwdpo= licy entry's DN >> >> Note that the default password policy(ads-pwdId=3Ddefault) is applicable= for all other user entries which doesn't have a 'pwdPolicySubEntry' >> attribute specified. >> >>> Even if the functionality isn't fully implemented, I'd like to structur= e the directory correctly. Your help is most appreciated. >>> >> please let us know if you have any other questions >> >> HTH >> >> -- >> Kiran Ayyagari >> > > > > -- > Kiran Ayyagari > --=20 Kiran Ayyagari