directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: 2 issues with Password policy response warnings / types
Date Thu, 21 Jun 2012 22:40:12 GMT
Le 6/21/12 8:24 PM, Carlo.Accorsi@ibs-ag.com a écrit :
> Hi, we're deep into testing the password policy and we came across this situation.  Using
 DS built from the trunk version 1349996
>
> Short description. In the ASN.1 response:
> When the password is expiring in 60 seconds , the three bytes should be  -128, 0, 60
 instead they are -128, 1, 60
No. The second byte is the length of the next field. Controls are 
encoded using BER encoding, which means every PDU is encoded to containg 
a type, a length and a value (TLV). Here, the type is 0x80 for 
timeBeforeExpiration and 0x81 for graceLoginsRemaining. As soon as you 
have an integer type, then the L byte is something between 1 and 4, 
*never* 0.

So 0x80 0x01 0x3C is correct.
> When 4 grace logins remain, the three bytes should be  -128, 1, 4  instead they are -127,
1, 4
Again, graceLogin is encoded 0x81 (-127) per the specification  :

SEQUENCE {
       warning   [0] CHOICE OPTIONAL {
          timeBeforeExpiration  [0] INTEGER (0 .. MaxInt),  // 0x80<->  -128
          graceLoginsRemaining  [1] INTEGER (0 .. maxInt) } // 0x81<->  -127

so -127, 1, 4 is correct
>
> We have a user that has the pwdReset = true  Attribute   AND their password is about
to expire.
> This is the byte[] value returned after 3 consecutive logins, you can see the password
expiration working
>
> [48, 8, -96, 3, -128, 1, 122, -127, 1, 2]  // pw expires in 122 seconds
> [48, 8, -96, 3, -128, 1, 83, -127, 1, 2] // pw expires in 83 seconds
> [48, 8, -96, 3, -128, 1, 48, -127, 1, 2] // pw expires in 48 seconds
>
>
> // here's the last case decoded.
> 48 (30) Skip
> 8 (8) Length = 8
> -96 (160) Continue
This is 0xA0, the T for Warning[0] in the ASN/1 grammar
> 3 (3) Length = 3
> -128 (128) Warning OK
this is 0x80, the T for timeBeforeExpiration [0] in the ASN/1 grammar
> 1 (1) Type 1<-- ?? This should be error Type 0? Type 1 defines Grace Logins
This is not a type, it's the integer length for the timeBeforeExpiration 
field
> 48 (48) 48 seconds remaining on password<-- expected value but is getting set in grace
logins
Do you mean that the control is fed incorrectly ?
> // loop again
> -127 (129) Error OK
> 1 (1) length =1
> 2 (2) Error  CHANGE_AFTER_RESET<-- this is what we expect.
correct
>
>
> Here's the same case, after the password expires. The Grace Login also has an Error instead
of a warning
> [48, 8, -96, 3, -127, 1, 4, -127, 1, 2]
> -127 (129) Error<-- This should be a Warning  -128
> 1 (1) Type 1 = Grace Logins remaining<-- this is the correct warning type
> 4 (4) 4 logins remaining<-- correct # of logins remaining

Not sure I get your point on this last sample.

If I decode the bytes, here is what I get :
0x30 0x08 // a SEQUENCE, 8 bytes long
   0xA0 0x03 // Warning, 3 bytes
     0x81 0x01 0x04 // graceLoginsRemaining, one byte, value = 4
   0x81 0x01 0x02 // error, changeAfterReset


We may have some issues in the way we generate the response, but as far 
as I can tell, the encoding is correct.

Do you mean that the resulting PasswordPolicy instance is not correctly 
set ? This is not what I see in the decoder...


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com


Mime
View raw message