Hi Everyone. We're still stuck on this one. Does anyone have a suggestion of how to handle this? We've tried coding around this but we keep coming back to it. In summary, when we're changing a user's password and it's in the history, an InvalidAttributeValueException is thrown but the response controls in the LdapContext Are null. When we make the request with our PasswordRequestControl class OID = "1.3.6.1.4.1.42.2.27.8.5.1" . Are we going about this the wrong way? I was hoping to catch the InvalidAttributeValueException but then determine from the response control that the Password was in the history and raise the appropriate error in our user interface. Thanks -----Original Message----- From: Accorsi, Carlo Sent: Wednesday, November 30, 2011 2:45 PM To: 'users@directory.apache.org' Subject: FW: ApacheDS differentiating Authentication Exceptions -----Original Message----- From: Accorsi, Carlo Sent: Friday, November 18, 2011 11:09 AM To: users@directory.apache.org Subject: RE: ApacheDS differentiating Authentication Exceptions Say for example "123" is in your password history. Create and admin LdapContext with a PasswordRequestControl. (ctx) ModificationItem[] mods = new ModificationItem[1]; mods[0] = new ModificationItem(ctx.REPLACE_ATTRIBUTE, new BasicAttribute("userPassword","123")); // try to set the password to entry in history try { //response controls set in ctx here ctx.modifyAttributes(strDn, mods); } catch (InvalidAttributeValueException e){ // response control will be null here. e.printStackTrace(); // below } Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST Message ID : 4 Modify Request Object : 'uid=1320878789594,ou=users,ou=ext,o=cpro' Modification[0] Operation : replace Modification userPassword: '0x32 0x32 0x32 0x32 0x32 0x32 ' org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@f757cf46 ManageDsaITImpl Control Type OID : '2.16.840.1.113730.3.4.2' Criticality : 'false' ' : invalid reuse of password present in password history]; remaining name 'uid=1320878789594,ou=users,ou=ext,o=cpro' Regards, Carlo Accorsi -----Original Message----- From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari Sent: Friday, November 18, 2011 9:59 AM To: users@directory.apache.org Subject: Re: ApacheDS differentiating Authentication Exceptions have checked the code but didn't find any obvious issue, do you have a test case that I can use to reproduce? On Fri, Nov 18, 2011 at 9:02 AM, Kiran Ayyagari wrote: > most likely it could be a bug, will check that > > On Fri, Nov 18, 2011 at 6:09 AM,   wrote: >> Hi again. I'm getting and handling the ASN.1 messages for when a password is about to expire, and grace logins left and cases where there's no exception. >> However, if there's an exception, the response controls are null. In >> the debugger, I see my response control present in the LdapContext >> but the moment, I step over ctx.modifyAttributes(strDn, mods); >> >> and for example an  javax.naming.directory.InvalidAttributeValueException is thrown for: >> >> : Password should have a minmum of 6 characters Or >> : invalid reuse of password present in password history] >> >> The LdapContext is still valid but the response controls are set null? I've observed this by stepping through the code. >> I was hoping to catch the reason in the ASN message and handle the failure appropriately from there. >> >> >> Thank you, >> Carlo Accorsi >> >> >> -----Original Message----- >> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On >> Behalf Of Kiran Ayyagari >> Sent: Tuesday, November 15, 2011 1:57 PM >> To: users@directory.apache.org >> Subject: Re: ApacheDS differentiating Authentication Exceptions >> >> On Tue, Nov 15, 2011 at 1:47 PM, Emmanuel Lecharny wrote: >>> On 11/15/11 7:11 PM, Carlo.Accorsi@ibs-ag.com wrote: >>>> >>>> Ok, when I try and bind with an expired password and all grace >>>> logins are spent, this exception is thrown: >>>> >>>> Caused by: javax.naming.AuthenticationException: [LDAP: error code >>>> 49 >>>> - >>>> INVALID_CREDENTIALS: Bind failed: paasword expired and max grace >>>> logins were used] >>>> >>>> >>>> And in the LdapContext. getResponseControls()  encodedValue there >>>> is >>>>  this small byte array: >>>> >>>>  [48, 3, -127, 1, 0] >>>> >>>> Does anyone know how to interpret or decode this? >>> >>> This stands for >>> 0x30 0x03 >>>  0x81 0x01 0x00 >>> >>> which means, when correlated with the ASN.1 grammar : >>> >>>      PasswordPolicyResponseValue ::= SEQUENCE { >>>         warning [0] CHOICE { >>>            timeBeforeExpiration [0] INTEGER (0 .. maxInt), >>>            graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } >>> OPTIONAL, >>>         error   [1] ENUMERATED { >>>            passwordExpired             (0), >>>            accountLocked               (1), >>>            changeAfterReset            (2), >>>            passwordModNotAllowed       (3), >>>            mustSupplyOldPassword       (4), >>>            insufficientPasswordQuality (5), >>>            passwordTooShort            (6), >>>            passwordTooYoung            (7), >>>            passwordInHistory           (8) } OPTIONAL } >>> >>> 0x30 0x03 : SEQUENCE, 3 bytes length >>> 0x81 : error [1] (would have been 0x80 for a warning) >>> 0x01 : one byte length >>> 0x00 : passwordExpired. >>> >>> ASN1 can be fun, but only for people who like this part of Pulp Fiction : >>> http://www.youtube.com/watch?v=wN2-I31Imis&feature=player_detailpage >>> >> there goes the Christopher Nolan of ASN1 :) thanks for putting many details than the one I was about to send. >> >> OTOH, Carlo - >> take a look at the control's source present here [1], you need >> not(and might not) use all of it, but some parts can be reused >> >> [1] >> http://svn.apache.org/repos/asf/directory/shared/trunk/ldap/extras/co >> dec-api/src/main/java/org/apache/directory/shared/ldap/extras/control >> s/ppolicy >>> >>> -- >>> Regards, >>> Cordialement, >>> Emmanuel Lécharny >>> www.iktek.com >>> >>> >> >> >> >> -- >> Kiran Ayyagari >> > > > > -- > Kiran Ayyagari > -- Kiran Ayyagari