Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 44F53945C for ; Thu, 10 Nov 2011 15:24:01 +0000 (UTC) Received: (qmail 48826 invoked by uid 500); 10 Nov 2011 15:24:01 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 48787 invoked by uid 500); 10 Nov 2011 15:24:00 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 48777 invoked by uid 99); 10 Nov 2011 15:24:00 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Nov 2011 15:24:00 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [62.153.167.38] (HELO postserver.ibs-ag.de) (62.153.167.38) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Nov 2011 15:23:53 +0000 Received: from postserver.ibs-ag.de (localhost [127.0.0.1]) by postserver.ibs-ag.de (Postfix) with ESMTP id 2B9CA9F9FF for ; Thu, 10 Nov 2011 16:23:44 +0100 (CET) Received: from IBSCAX2.ibs-ag.com (unknown [192.168.14.12]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by postserver.ibs-ag.de (Postfix) with ESMTPS id 2A5FE9F158 for ; Thu, 10 Nov 2011 16:23:44 +0100 (CET) Received: from IBSMBX.ibs-ag.com ([fe80::78e3:9c63:57ee:7d20]) by IBSCAX2.ibs-ag.com ([192.168.14.12]) with mapi; Thu, 10 Nov 2011 16:23:32 +0100 From: To: Date: Thu, 10 Nov 2011 16:23:31 +0100 Subject: RE: ApacheDS Password policy issues Thread-Topic: ApacheDS Password policy issues Thread-Index: AcyJ5R46kH14yk2YRgG3sv8elSnNRwVE+ZkA Message-ID: <2BE7E81B77921F43A6A273C2DF2FA6A43A625A5749@IBSMBX.ibs-ag.com> References: <2BE7E81B77921F43A6A273C2DF2FA6A43A42781D7A@IBSMBX.ibs-ag.com> In-Reply-To: Accept-Language: en-US, de-DE Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, de-DE Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org Hi, my fault for the delay responding.. I'm running 2.0.0-M4-SNAPSHOT off = the trunk.=20 I'm trying to capture response controls in 2 cases and I cannot get either = to work.=20 a.) When I update the userPassword attribute and policy requirements are no= t met b.) When the user logs in and policy threshold is exceeded. Expiry, histor= y, lockout, etc. In both cases either the response controls are null or the response contro= l returned has no data. Details below. I have created password request and response control classes that implement= javax.naming.ldap.Control The interface method getId() returns "1.3.6.1.4.1.42.2.27.8.5.1" which is a= static member named OID.=20 The policy response class extends the request class.=20 I have a ControlFactory Class which implements javax.naming.ldap.ControlFac= tory and is added to my environment like this.=20 env.put(LdapContext.CONTROL_FACTORIES,"com.my.MyControlFactory"); The interface method below in my control factory only tests for data. public Control getControlInstance(Control ctl) { =20 Control result =3D null; if (ctl.getID().equals(ControlPasswordPolicyResponse.OID)) { if (ctl.getEncodedValue() =3D=3D null) { System.out.println("No data in response control"); }=20 } return result; } For example, when I try and update a password (that's in the history) the f= ollowing exception is thrown but the response controls are null javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19= - CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST Message ID : 2 Modify Request Object : 'uid=3D1320256180937,ou=3Dusers,ou=3Dint,o=3Dcpro' Modification[0] Operation : replace Modification userPassword: '0x31 0x32 0x33 0x34 0x35 0x36 ' org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@b6209aee = ManageDsaITImpl Control Type OID : '2.16.840.1.113730.3.4.2' Criticality : 'false' ' : invalid reuse of password present in password history]; remaining name 'u= id=3D1320256180937,ou=3Dusers,ou=3Dint,o=3Dcpro' Again if the supplied password is too short, I get the exception but the r= esponse controls are null javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19= - CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST Message ID : 2 Modify Request Object : 'uid=3D1320878789594,ou=3Dusers,ou=3Dext,o=3Dcpro' Modification[0] Operation : replace Modification userPassword: '0x31 ' org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@67f2066a = ManageDsaITImpl Control Type OID : '2.16.840.1.113730.3.4.2' Criticality : 'false' ' : Password should have a minmum of 3 characters]; remaining name 'uid=3D132= 0878789594,ou=3Dusers,ou=3Dext,o=3Dcpro' The OID in these exceptions is a Netscape V3 control http://www.alvestrand.no/objectid/2.16.840.1.113730.3.4.html Finally when the policy is set to expire after 30 seconds (ads-pwdmaxage= =3D30) and the user's password is older than this, a response=20 Control is returned, but is getEncodedData() is null. This same thing happe= ns when policy conditions are met and the login is successful.=20 Thanks for your help. Carlo -----Original Message----- From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of= Kiran Ayyagari Sent: Thursday, October 13, 2011 4:17 PM To: users@directory.apache.org Subject: Re: ApacheDS Password policy issues On Tue, Oct 11, 2011 at 3:11 PM, wrote: > Hi, I've been working with the password policy functionality this week an= d have encountered a few issues I'm hoping you can help clarify. > > These attributes are on the policy itself unless otherwise specified. > > > 1. =A0 =A0 =A0 ads-pwdminlength (minimum # of chars require for a passwor= d) having a non-zero value accepts passwords that are any length. > > a. =A0 =A0 =A0 I didn't test ads-pwdmaxlength but might check that while = you're there. > > > > 2. =A0 =A0 =A0 The value ads-pwmaxage is supposed to be how long a passwo= rd is valid (in seconds). > > a. =A0 =A0 =A0 Setting this to a non-zero value causes a pwdChangedTime=20 > attribute to be set on the user when their password changes (ok) > > b. =A0 =A0 =A0However it never enforces the expiry > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0i. =A0 =A0 =A0 > The ads-pwdgraceauthnlimit ( # of grace logins after expiration)=20 > doesn't seem to have any effect > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ii. =A0 =A0 =A0 > Also setting =A0ads-pwdexpirewarning above and below =A0the max age=20 > doesn't seem to matter either > > c. =A0 =A0 =A0 If it did expire, how is this indicated on the user object= ? > > have fixed this issue. Server indicates the user about expiry by sending th= e ppolicy response control after setting the value for timeBeforeExpiration= property to the time left before the password expires. Note that this only happens if the user sent a request with ppolicy control= (OID - 1.3.6.1.4.1.42.2.27.8.5.1) > > 3. =A0 =A0 =A0 When ads-pwdmaxfailure (number of times failed bind is per= mitted) is set to 5 , it allows 11 login failures before locking the accoun= t. > > a. =A0 =A0 =A0 Each login failure creates an additional pwdFailureTime=20 > attribute for the user (ok) > > b. =A0 =A0 =A0pwdAccountLockedTime attribute is created after the 11th = =A0 > failed bind. (Also what we want, but after 5 failures) > > c. =A0 =A0 =A0 This might be some caching issue because I think once it t= ook 13 failed attempts before it locked. > > this is a bit strange, do you have some custom caching mechanism in place? = OR some custom authenticator implementation that doesn't inherit the Abstra= ctAuthenticator? > > 4. =A0 =A0 =A0 When ads-pwdinhistory (# of old passwords kept so they're = not reused) is set to 5 . > > a. =A0 =A0 =A0 Users initially have no pwdHistory attribute (ok) > > b. =A0 =A0 =A0Each of the first 5 password changes happens successfully.= =20 > Each time adding new pwdHistory attribute to the user. (ok) > > c. =A0 =A0 =A0 On the 6th =A0change, the exception below occurs. It's lik= e it needs to reuse the first pwdHistory attribute but cannot. > > have fixed this issue, please verify with the latest trunk and let us know. > #!RESULT ERROR > #!CONNECTION ldap://localhost:10389 > #!DATE 2011-10-11T14:32:58.205 > #!ERROR [LDAP: error code 20 - ATTRIBUTE_OR_VALUE_EXISTS: failed for=20 > MessageType : MODIFY_REQUEST Message ID : 29 =A0 =A0 Modify Request =A0 = =A0 =A0 =A0=20 > Object : 'uid=3D1286309809116,ou=3Dusers,ou=3Dint,o=3Dcpro' =A0 =A0 =A0 = =A0 =A0 =A0=20 > Modification[0] =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Operation : =A0replace = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=20 > Modification =A0 =A0 userPassword: '0x7B 0x53 0x48 0x41 0x7D 0x79 0x59=20 > 0x53 0x75 0x30 0x42 0x53 0x75 0x78 0x32 0x49 ...'=20 > org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@3d1ac > ad9: ERR_54 Cannot add a value which is already present : '0x32 0x30=20 > 0x31 0x31 0x31 0x30 0x31 0x31 0x31 0x38 0x33 0x32 0x30 0x34 0x5A 0x23=20 > ...'] > dn: uid=3D1286309809117,ou=3Dusers,ou=3Dint,o=3Dcpro > changetype: modify > replace: userPassword > > userPassword:: e1NIQX15VVN1MEJTdXgySTZWUEJaSGFCNmhmMUxkaTA9 > > > > > I'll keep testing and thank you in advance!! > Carlo Accorsi > > > > -- Kiran Ayyagari