directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Carlo.Acco...@ibs-ag.com>
Subject RE: ApacheDS differentiating Authentication Exceptions
Date Fri, 18 Nov 2011 11:09:31 GMT
Hi again. I'm getting and handling the ASN.1 messages for when a password is about to expire,
and grace logins left and cases where there's no exception. 
However, if there's an exception, the response controls are null. In the debugger, I see my
response control present in the LdapContext but the 
moment, I step over
ctx.modifyAttributes(strDn, mods);

and for example an  javax.naming.directory.InvalidAttributeValueException is thrown for:

: Password should have a minmum of 6 characters 
Or 
: invalid reuse of password present in password history]

The LdapContext is still valid but the response controls are set null? I've observed this
by stepping through the code. 
I was hoping to catch the reason in the ASN message and handle the failure appropriately from
there. 


Thank you,
Carlo Accorsi


-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Tuesday, November 15, 2011 1:57 PM
To: users@directory.apache.org
Subject: Re: ApacheDS differentiating Authentication Exceptions

On Tue, Nov 15, 2011 at 1:47 PM, Emmanuel Lecharny <elecharny@gmail.com> wrote:
> On 11/15/11 7:11 PM, Carlo.Accorsi@ibs-ag.com wrote:
>>
>> Ok, when I try and bind with an expired password and all grace logins 
>> are spent, this exception is thrown:
>>
>> Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 
>> -
>> INVALID_CREDENTIALS: Bind failed: paasword expired and max grace 
>> logins were used]
>>
>>
>> And in the LdapContext. getResponseControls()  encodedValue there  is
>>  this small byte array:
>>
>>  [48, 3, -127, 1, 0]
>>
>> Does anyone know how to interpret or decode this?
>
> This stands for
> 0x30 0x03
>  0x81 0x01 0x00
>
> which means, when correlated with the ASN.1 grammar :
>
>      PasswordPolicyResponseValue ::= SEQUENCE {
>         warning [0] CHOICE {
>            timeBeforeExpiration [0] INTEGER (0 .. maxInt),
>            graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
>         error   [1] ENUMERATED {
>            passwordExpired             (0),
>            accountLocked               (1),
>            changeAfterReset            (2),
>            passwordModNotAllowed       (3),
>            mustSupplyOldPassword       (4),
>            insufficientPasswordQuality (5),
>            passwordTooShort            (6),
>            passwordTooYoung            (7),
>            passwordInHistory           (8) } OPTIONAL }
>
> 0x30 0x03 : SEQUENCE, 3 bytes length
> 0x81 : error [1] (would have been 0x80 for a warning)
> 0x01 : one byte length
> 0x00 : passwordExpired.
>
> ASN1 can be fun, but only for people who like this part of Pulp Fiction :
> http://www.youtube.com/watch?v=wN2-I31Imis&feature=player_detailpage
>
there goes the Christopher Nolan of ASN1 :) thanks for putting many details than the one I
was about to send.

OTOH, Carlo -
take a look at the control's source present here [1], you need not(and might not) use all
of it, but some parts can be reused

[1] http://svn.apache.org/repos/asf/directory/shared/trunk/ldap/extras/codec-api/src/main/java/org/apache/directory/shared/ldap/extras/controls/ppolicy
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>



--
Kiran Ayyagari

Mime
View raw message