Return-Path: 
 <users-return-4290-apmail-directory-users-archive=directory.apache.org@directory.apache.org>
X-Original-To: apmail-directory-users-archive@www.apache.org
Delivered-To: apmail-directory-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 5FA0A9FE7
	for <apmail-directory-users-archive@www.apache.org>;
 Fri, 18 Nov 2011 14:03:03 +0000 (UTC)
Received: (qmail 91143 invoked by uid 500); 18 Nov 2011 14:03:03 -0000
Delivered-To: apmail-directory-users-archive@directory.apache.org
Received: (qmail 91112 invoked by uid 500); 18 Nov 2011 14:03:03 -0000
Mailing-List: contact users-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@directory.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@directory.apache.org>
List-Post: <mailto:users@directory.apache.org>
List-Id: <users.directory.apache.org>
Reply-To: users@directory.apache.org
Delivered-To: mailing list users@directory.apache.org
Received: (qmail 91104 invoked by uid 99); 18 Nov 2011 14:03:03 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Nov 2011 14:03:03 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of ayyagarikiran@gmail.com
 designates 209.85.213.178 as permitted sender)
Received: from [209.85.213.178] (HELO mail-yx0-f178.google.com)
 (209.85.213.178)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Nov 2011 14:02:56 +0000
Received: by yenm9 with SMTP id m9so1609075yen.37
        for <users@directory.apache.org>;
 Fri, 18 Nov 2011 06:02:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=4bfmybMlocEfzvZ4obAJTCrzswApZ12sbpRNm6gH0dQ=;
        b=Vj70ITYPLYJKy4tdw0RhnTj80hSyibdYpIBsgIJuHsLtlQ1HGY5l8A4o0H7ZCkYUuw
         VcVMMjJi8CvzRDkipSUsvGrqrRHFrm4gHF7ZYmbtdq7A7MrA8T3BhvKfg/K++Kgk15sP
         cTjCqEXHCvZO/CfE3/+Bu+jvfVlQ022eRNs8A=
MIME-Version: 1.0
Received: by 10.50.77.229 with SMTP id v5mr3097234igw.13.1321624954963; Fri,
 18 Nov 2011 06:02:34 -0800 (PST)
Sender: ayyagarikiran@gmail.com
Received: by 10.231.36.75 with HTTP; Fri, 18 Nov 2011 06:02:34 -0800 (PST)
In-Reply-To: <2BE7E81B77921F43A6A273C2DF2FA6A43A6286E090@IBSMBX.ibs-ag.com>
References: <2BE7E81B77921F43A6A273C2DF2FA6A43A625A577B@IBSMBX.ibs-ag.com>
	<CAFC6YwQH5+jc-gCykY0EisVBP5Et3VFU+UQ-JYF1-_nf+1dmAQ@mail.gmail.com>
	<2BE7E81B77921F43A6A273C2DF2FA6A43A625A57E6@IBSMBX.ibs-ag.com>
	<CAFC6YwSnPBHpvUEGojaGZDUzU3fTjE1gYH8fuPbJgpKJ5OsLmg@mail.gmail.com>
	<2BE7E81B77921F43A6A273C2DF2FA6A43A6286DA58@IBSMBX.ibs-ag.com>
	<4EC2B3C1.8050904@gmail.com>
	<CABzFU-cNQVsWD2XRgruYm863OrLVbqMQwM0ozgT5f4bFzRXYpQ@mail.gmail.com>
	<2BE7E81B77921F43A6A273C2DF2FA6A43A6286E090@IBSMBX.ibs-ag.com>
Date: Fri, 18 Nov 2011 09:02:34 -0500
X-Google-Sender-Auth: 6ArwR-48yrvAn1teo8soX9nT-9A
Message-ID: 
 <CABzFU-cjEV6MLb=tW6_5Ew6NzXoj9-8xHArmFvtPGM=7iVg6HA@mail.gmail.com>
Subject: Re: ApacheDS differentiating Authentication Exceptions
From: Kiran Ayyagari <kayyagari@apache.org>
To: users@directory.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Virus-Checked: Checked by ClamAV on apache.org

most likely it could be a bug, will check that

On Fri, Nov 18, 2011 at 6:09 AM,  <Carlo.Accorsi@ibs-ag.com> wrote:
> Hi again. I'm getting and handling the ASN.1 messages for when a password=
 is about to expire, and grace logins left and cases where there's no excep=
tion.
> However, if there's an exception, the response controls are null. In the =
debugger, I see my response control present in the LdapContext but the
> moment, I step over
> ctx.modifyAttributes(strDn, mods);
>
> and for example an =A0javax.naming.directory.InvalidAttributeValueExcepti=
on is thrown for:
>
> : Password should have a minmum of 6 characters
> Or
> : invalid reuse of password present in password history]
>
> The LdapContext is still valid but the response controls are set null? I'=
ve observed this by stepping through the code.
> I was hoping to catch the reason in the ASN message and handle the failur=
e appropriately from there.
>
>
> Thank you,
> Carlo Accorsi
>
>
> -----Original Message-----
> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf =
Of Kiran Ayyagari
> Sent: Tuesday, November 15, 2011 1:57 PM
> To: users@directory.apache.org
> Subject: Re: ApacheDS differentiating Authentication Exceptions
>
> On Tue, Nov 15, 2011 at 1:47 PM, Emmanuel Lecharny <elecharny@gmail.com> =
wrote:
>> On 11/15/11 7:11 PM, Carlo.Accorsi@ibs-ag.com wrote:
>>>
>>> Ok, when I try and bind with an expired password and all grace logins
>>> are spent, this exception is thrown:
>>>
>>> Caused by: javax.naming.AuthenticationException: [LDAP: error code 49
>>> -
>>> INVALID_CREDENTIALS: Bind failed: paasword expired and max grace
>>> logins were used]
>>>
>>>
>>> And in the LdapContext. getResponseControls() =A0encodedValue there =A0=
is
>>> =A0this small byte array:
>>>
>>> =A0[48, 3, -127, 1, 0]
>>>
>>> Does anyone know how to interpret or decode this?
>>
>> This stands for
>> 0x30 0x03
>> =A00x81 0x01 0x00
>>
>> which means, when correlated with the ASN.1 grammar :
>>
>> =A0 =A0 =A0PasswordPolicyResponseValue ::=3D SEQUENCE {
>> =A0 =A0 =A0 =A0 warning [0] CHOICE {
>> =A0 =A0 =A0 =A0 =A0 =A0timeBeforeExpiration [0] INTEGER (0 .. maxInt),
>> =A0 =A0 =A0 =A0 =A0 =A0graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } =
OPTIONAL,
>> =A0 =A0 =A0 =A0 error =A0 [1] ENUMERATED {
>> =A0 =A0 =A0 =A0 =A0 =A0passwordExpired =A0 =A0 =A0 =A0 =A0 =A0 (0),
>> =A0 =A0 =A0 =A0 =A0 =A0accountLocked =A0 =A0 =A0 =A0 =A0 =A0 =A0 (1),
>> =A0 =A0 =A0 =A0 =A0 =A0changeAfterReset =A0 =A0 =A0 =A0 =A0 =A0(2),
>> =A0 =A0 =A0 =A0 =A0 =A0passwordModNotAllowed =A0 =A0 =A0 (3),
>> =A0 =A0 =A0 =A0 =A0 =A0mustSupplyOldPassword =A0 =A0 =A0 (4),
>> =A0 =A0 =A0 =A0 =A0 =A0insufficientPasswordQuality (5),
>> =A0 =A0 =A0 =A0 =A0 =A0passwordTooShort =A0 =A0 =A0 =A0 =A0 =A0(6),
>> =A0 =A0 =A0 =A0 =A0 =A0passwordTooYoung =A0 =A0 =A0 =A0 =A0 =A0(7),
>> =A0 =A0 =A0 =A0 =A0 =A0passwordInHistory =A0 =A0 =A0 =A0 =A0 (8) } OPTIO=
NAL }
>>
>> 0x30 0x03 : SEQUENCE, 3 bytes length
>> 0x81 : error [1] (would have been 0x80 for a warning)
>> 0x01 : one byte length
>> 0x00 : passwordExpired.
>>
>> ASN1 can be fun, but only for people who like this part of Pulp Fiction =
:
>> http://www.youtube.com/watch?v=3DwN2-I31Imis&feature=3Dplayer_detailpage
>>
> there goes the Christopher Nolan of ASN1 :) thanks for putting many detai=
ls than the one I was about to send.
>
> OTOH, Carlo -
> take a look at the control's source present here [1], you need not(and mi=
ght not) use all of it, but some parts can be reused
>
> [1] http://svn.apache.org/repos/asf/directory/shared/trunk/ldap/extras/co=
dec-api/src/main/java/org/apache/directory/shared/ldap/extras/controls/ppol=
icy
>>
>> --
>> Regards,
>> Cordialement,
>> Emmanuel L=E9charny
>> www.iktek.com
>>
>>
>
>
>
> --
> Kiran Ayyagari
>



--=20
Kiran Ayyagari