directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: ApacheDS differentiating Authentication Exceptions
Date Fri, 18 Nov 2011 14:02:34 GMT
most likely it could be a bug, will check that

On Fri, Nov 18, 2011 at 6:09 AM,  <Carlo.Accorsi@ibs-ag.com> wrote:
> Hi again. I'm getting and handling the ASN.1 messages for when a password is about to
expire, and grace logins left and cases where there's no exception.
> However, if there's an exception, the response controls are null. In the debugger, I
see my response control present in the LdapContext but the
> moment, I step over
> ctx.modifyAttributes(strDn, mods);
>
> and for example an  javax.naming.directory.InvalidAttributeValueException is thrown
for:
>
> : Password should have a minmum of 6 characters
> Or
> : invalid reuse of password present in password history]
>
> The LdapContext is still valid but the response controls are set null? I've observed
this by stepping through the code.
> I was hoping to catch the reason in the ASN message and handle the failure appropriately
from there.
>
>
> Thank you,
> Carlo Accorsi
>
>
> -----Original Message-----
> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
> Sent: Tuesday, November 15, 2011 1:57 PM
> To: users@directory.apache.org
> Subject: Re: ApacheDS differentiating Authentication Exceptions
>
> On Tue, Nov 15, 2011 at 1:47 PM, Emmanuel Lecharny <elecharny@gmail.com> wrote:
>> On 11/15/11 7:11 PM, Carlo.Accorsi@ibs-ag.com wrote:
>>>
>>> Ok, when I try and bind with an expired password and all grace logins
>>> are spent, this exception is thrown:
>>>
>>> Caused by: javax.naming.AuthenticationException: [LDAP: error code 49
>>> -
>>> INVALID_CREDENTIALS: Bind failed: paasword expired and max grace
>>> logins were used]
>>>
>>>
>>> And in the LdapContext. getResponseControls()  encodedValue there  is
>>>  this small byte array:
>>>
>>>  [48, 3, -127, 1, 0]
>>>
>>> Does anyone know how to interpret or decode this?
>>
>> This stands for
>> 0x30 0x03
>>  0x81 0x01 0x00
>>
>> which means, when correlated with the ASN.1 grammar :
>>
>>      PasswordPolicyResponseValue ::= SEQUENCE {
>>         warning [0] CHOICE {
>>            timeBeforeExpiration [0] INTEGER (0 .. maxInt),
>>            graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
>>         error   [1] ENUMERATED {
>>            passwordExpired             (0),
>>            accountLocked               (1),
>>            changeAfterReset            (2),
>>            passwordModNotAllowed       (3),
>>            mustSupplyOldPassword       (4),
>>            insufficientPasswordQuality (5),
>>            passwordTooShort            (6),
>>            passwordTooYoung            (7),
>>            passwordInHistory           (8) } OPTIONAL }
>>
>> 0x30 0x03 : SEQUENCE, 3 bytes length
>> 0x81 : error [1] (would have been 0x80 for a warning)
>> 0x01 : one byte length
>> 0x00 : passwordExpired.
>>
>> ASN1 can be fun, but only for people who like this part of Pulp Fiction :
>> http://www.youtube.com/watch?v=wN2-I31Imis&feature=player_detailpage
>>
> there goes the Christopher Nolan of ASN1 :) thanks for putting many details than the
one I was about to send.
>
> OTOH, Carlo -
> take a look at the control's source present here [1], you need not(and might not) use
all of it, but some parts can be reused
>
> [1] http://svn.apache.org/repos/asf/directory/shared/trunk/ldap/extras/codec-api/src/main/java/org/apache/directory/shared/ldap/extras/controls/ppolicy
>>
>> --
>> Regards,
>> Cordialement,
>> Emmanuel Lécharny
>> www.iktek.com
>>
>>
>
>
>
> --
> Kiran Ayyagari
>



-- 
Kiran Ayyagari

Mime
View raw message