Return-Path: 
 <users-return-4292-apmail-directory-users-archive=directory.apache.org@directory.apache.org>
X-Original-To: apmail-directory-users-archive@www.apache.org
Delivered-To: apmail-directory-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id B845F9175
	for <apmail-directory-users-archive@www.apache.org>;
 Fri, 18 Nov 2011 16:09:25 +0000 (UTC)
Received: (qmail 49868 invoked by uid 500); 18 Nov 2011 16:09:25 -0000
Delivered-To: apmail-directory-users-archive@directory.apache.org
Received: (qmail 49841 invoked by uid 500); 18 Nov 2011 16:09:25 -0000
Mailing-List: contact users-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@directory.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@directory.apache.org>
List-Post: <mailto:users@directory.apache.org>
List-Id: <users.directory.apache.org>
Reply-To: users@directory.apache.org
Delivered-To: mailing list users@directory.apache.org
Received: (qmail 49833 invoked by uid 99); 18 Nov 2011 16:09:25 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Nov 2011 16:09:25 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy)
Received: from [62.153.167.38] (HELO postserver.ibs-ag.de) (62.153.167.38)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Nov 2011 16:09:18 +0000
Received: from postserver.ibs-ag.de (localhost [127.0.0.1])
	by postserver.ibs-ag.de (Postfix) with ESMTP id D2D3FA00BA
	for <users@directory.apache.org>; Fri, 18 Nov 2011 17:09:16 +0100 (CET)
Received: from IBSCAX2.ibs-ag.com (unknown [192.168.14.12])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	by postserver.ibs-ag.de (Postfix) with ESMTPS id CF1BF9F298
	for <users@directory.apache.org>; Fri, 18 Nov 2011 17:09:16 +0100 (CET)
Received: from IBSCAX3.ibs-ag.com (172.16.0.153) by IBSCAX2.ibs-ag.com
 (192.168.14.12) with Microsoft SMTP Server (TLS) id 8.3.192.1; Fri, 18 Nov
 2011 17:08:58 +0100
Received: from IBSMBX.ibs-ag.com ([fe80::95f5:beb6:adb3:30d5]) by
 IBSCAX3.ibs-ag.com ([fe80::358d:ea:a69c:22ff%13]) with mapi; Fri, 18 Nov 2011
 17:08:57 +0100
From: <Carlo.Accorsi@ibs-ag.com>
To: <users@directory.apache.org>
Date: Fri, 18 Nov 2011 17:08:55 +0100
Subject: RE: ApacheDS differentiating Authentication Exceptions
Thread-Topic: ApacheDS differentiating Authentication Exceptions
Thread-Index: AcymAqTPdXJX6VQZSy6Tfdozbbyi3QACEbTA
Message-ID: <2BE7E81B77921F43A6A273C2DF2FA6A43A6306196D@IBSMBX.ibs-ag.com>
References: <2BE7E81B77921F43A6A273C2DF2FA6A43A625A577B@IBSMBX.ibs-ag.com>
	<CAFC6YwQH5+jc-gCykY0EisVBP5Et3VFU+UQ-JYF1-_nf+1dmAQ@mail.gmail.com>
	<2BE7E81B77921F43A6A273C2DF2FA6A43A625A57E6@IBSMBX.ibs-ag.com>
	<CAFC6YwSnPBHpvUEGojaGZDUzU3fTjE1gYH8fuPbJgpKJ5OsLmg@mail.gmail.com>
	<2BE7E81B77921F43A6A273C2DF2FA6A43A6286DA58@IBSMBX.ibs-ag.com>
	<4EC2B3C1.8050904@gmail.com>
	<CABzFU-cNQVsWD2XRgruYm863OrLVbqMQwM0ozgT5f4bFzRXYpQ@mail.gmail.com>
	<2BE7E81B77921F43A6A273C2DF2FA6A43A6286E090@IBSMBX.ibs-ag.com>
	<CABzFU-cjEV6MLb=tW6_5Ew6NzXoj9-8xHArmFvtPGM=7iVg6HA@mail.gmail.com>
 <CABzFU-ca5BooE0fm7mAvJBL=9g_xuxkjMrHeWbqEh7YFob1rmQ@mail.gmail.com>
In-Reply-To: 
 <CABzFU-ca5BooE0fm7mAvJBL=9g_xuxkjMrHeWbqEh7YFob1rmQ@mail.gmail.com>
Accept-Language: en-US, de-DE
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US, de-DE
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Virus-Checked: Checked by ClamAV on apache.org

Say for example "123" is in your password history.=20
Create and admin LdapContext with a PasswordRequestControl.  (ctx)

		ModificationItem[] mods =3D new ModificationItem[1];
		mods[0] =3D new ModificationItem(ctx.REPLACE_ATTRIBUTE, new BasicAttribut=
e("userPassword","123")); // try to set the password to entry in history
		try {
			//response controls set in ctx here
			ctx.modifyAttributes(strDn, mods);
		} catch (InvalidAttributeValueException e){
			// response control will be null here.=20
			e.printStackTrace(); // below=09
		}=20


Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: er=
ror code 19 - CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST
Message ID : 4
    Modify Request
        Object : 'uid=3D1320878789594,ou=3Dusers,ou=3Dext,o=3Dcpro'
            Modification[0]
                Operation :  replace
                Modification
    userPassword: '0x32 0x32 0x32 0x32 0x32 0x32 '
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@f757cf46  =
  ManageDsaITImpl Control
        Type OID    : '2.16.840.1.113730.3.4.2'
        Criticality : 'false'
'
: invalid reuse of password present in password history]; remaining name 'u=
id=3D1320878789594,ou=3Dusers,ou=3Dext,o=3Dcpro'



Regards,
Carlo Accorsi

-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of=
 Kiran Ayyagari
Sent: Friday, November 18, 2011 9:59 AM
To: users@directory.apache.org
Subject: Re: ApacheDS differentiating Authentication Exceptions

have checked the code but didn't find any obvious issue, do you have a test=
 case that I can use to reproduce?

On Fri, Nov 18, 2011 at 9:02 AM, Kiran Ayyagari <kayyagari@apache.org> wrot=
e:
> most likely it could be a bug, will check that
>
> On Fri, Nov 18, 2011 at 6:09 AM, =A0<Carlo.Accorsi@ibs-ag.com> wrote:
>> Hi again. I'm getting and handling the ASN.1 messages for when a passwor=
d is about to expire, and grace logins left and cases where there's no exce=
ption.
>> However, if there's an exception, the response controls are null. In=20
>> the debugger, I see my response control present in the LdapContext=20
>> but the moment, I step over ctx.modifyAttributes(strDn, mods);
>>
>> and for example an =A0javax.naming.directory.InvalidAttributeValueExcept=
ion is thrown for:
>>
>> : Password should have a minmum of 6 characters Or
>> : invalid reuse of password present in password history]
>>
>> The LdapContext is still valid but the response controls are set null? I=
've observed this by stepping through the code.
>> I was hoping to catch the reason in the ASN message and handle the failu=
re appropriately from there.
>>
>>
>> Thank you,
>> Carlo Accorsi
>>
>>
>> -----Original Message-----
>> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On=20
>> Behalf Of Kiran Ayyagari
>> Sent: Tuesday, November 15, 2011 1:57 PM
>> To: users@directory.apache.org
>> Subject: Re: ApacheDS differentiating Authentication Exceptions
>>
>> On Tue, Nov 15, 2011 at 1:47 PM, Emmanuel Lecharny <elecharny@gmail.com>=
 wrote:
>>> On 11/15/11 7:11 PM, Carlo.Accorsi@ibs-ag.com wrote:
>>>>
>>>> Ok, when I try and bind with an expired password and all grace=20
>>>> logins are spent, this exception is thrown:
>>>>
>>>> Caused by: javax.naming.AuthenticationException: [LDAP: error code=20
>>>> 49
>>>> -
>>>> INVALID_CREDENTIALS: Bind failed: paasword expired and max grace=20
>>>> logins were used]
>>>>
>>>>
>>>> And in the LdapContext. getResponseControls() =A0encodedValue there =
=A0
>>>> is
>>>> =A0this small byte array:
>>>>
>>>> =A0[48, 3, -127, 1, 0]
>>>>
>>>> Does anyone know how to interpret or decode this?
>>>
>>> This stands for
>>> 0x30 0x03
>>> =A00x81 0x01 0x00
>>>
>>> which means, when correlated with the ASN.1 grammar :
>>>
>>> =A0 =A0 =A0PasswordPolicyResponseValue ::=3D SEQUENCE {
>>> =A0 =A0 =A0 =A0 warning [0] CHOICE {
>>> =A0 =A0 =A0 =A0 =A0 =A0timeBeforeExpiration [0] INTEGER (0 .. maxInt),
>>> =A0 =A0 =A0 =A0 =A0 =A0graceAuthNsRemaining [1] INTEGER (0 .. maxInt) }=
=20
>>> OPTIONAL,
>>> =A0 =A0 =A0 =A0 error =A0 [1] ENUMERATED {
>>> =A0 =A0 =A0 =A0 =A0 =A0passwordExpired =A0 =A0 =A0 =A0 =A0 =A0 (0),
>>> =A0 =A0 =A0 =A0 =A0 =A0accountLocked =A0 =A0 =A0 =A0 =A0 =A0 =A0 (1),
>>> =A0 =A0 =A0 =A0 =A0 =A0changeAfterReset =A0 =A0 =A0 =A0 =A0 =A0(2),
>>> =A0 =A0 =A0 =A0 =A0 =A0passwordModNotAllowed =A0 =A0 =A0 (3),
>>> =A0 =A0 =A0 =A0 =A0 =A0mustSupplyOldPassword =A0 =A0 =A0 (4),
>>> =A0 =A0 =A0 =A0 =A0 =A0insufficientPasswordQuality (5),
>>> =A0 =A0 =A0 =A0 =A0 =A0passwordTooShort =A0 =A0 =A0 =A0 =A0 =A0(6),
>>> =A0 =A0 =A0 =A0 =A0 =A0passwordTooYoung =A0 =A0 =A0 =A0 =A0 =A0(7),
>>> =A0 =A0 =A0 =A0 =A0 =A0passwordInHistory =A0 =A0 =A0 =A0 =A0 (8) } OPTI=
ONAL }
>>>
>>> 0x30 0x03 : SEQUENCE, 3 bytes length
>>> 0x81 : error [1] (would have been 0x80 for a warning)
>>> 0x01 : one byte length
>>> 0x00 : passwordExpired.
>>>
>>> ASN1 can be fun, but only for people who like this part of Pulp Fiction=
 :
>>> http://www.youtube.com/watch?v=3DwN2-I31Imis&feature=3Dplayer_detailpag=
e
>>>
>> there goes the Christopher Nolan of ASN1 :) thanks for putting many deta=
ils than the one I was about to send.
>>
>> OTOH, Carlo -
>> take a look at the control's source present here [1], you need=20
>> not(and might not) use all of it, but some parts can be reused
>>
>> [1]=20
>> http://svn.apache.org/repos/asf/directory/shared/trunk/ldap/extras/co
>> dec-api/src/main/java/org/apache/directory/shared/ldap/extras/control
>> s/ppolicy
>>>
>>> --
>>> Regards,
>>> Cordialement,
>>> Emmanuel L=E9charny
>>> www.iktek.com
>>>
>>>
>>
>>
>>
>> --
>> Kiran Ayyagari
>>
>
>
>
> --
> Kiran Ayyagari
>



--
Kiran Ayyagari