directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Carlo.Acco...@ibs-ag.com>
Subject RE: [ApacheDS] Error 56
Date Thu, 31 Jan 2013 22:11:20 GMT
Not sure.. I would verify that using Apache Studio, and connecting with the user's credentials
(not an admin) you can change his own password. 
If you can't, you've got a server config or password policy issue. 
If you can, your  ldap client many be configured incorrectly or is connecting with LDAP v2.


-----Original Message-----
From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de] 
Sent: Thursday, January 31, 2013 11:12 AM
To: users@directory.apache.org
Subject: Re: [ApacheDS] Error 56

Hi Carlo,
unfortunately, after restarting the server the user was not even able to log in.

I'm almost sure this has something to do with how openam handles the user, and here's why:

- I created a clean user, only with cn, sn and userpassword. The user is able to log in.
- If the user wants to change his password, it fails as described before.
- If the admin logs in, and performs a forced password change (just typing the new password,
without entering the previous one), the modify is successful.

So in the end, the error is related to the validation of the password while trying to change
it. This problem goes beyond pwdPolicy or ads-passwordPolicy

I'll try my best to solve this and let you know

thanks to everyone


On Thu, Jan 31, 2013 at 4:36 PM, <Carlo.Accorsi@ibs-ag.com> wrote:

> One last thing. I've found that adding a password policy entry, or 
> making changes to and existing policy require a restart of the server. 
> This was my experience in pre M9 builds but that may be different now.
> There's probably some interval in which changes to policy settings 
> occur without restarting but for testing purposes I restart the server 
> after password policy changes of any kind.
>
>
> -----Original Message-----
> From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> Sent: Thursday, January 31, 2013 10:15 AM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS] Error 56
>
> Thank you all for your big help.
>
> Kiran: I am using openam
>
> I did exactly as told in the previous mail.
>
> The error now is much different.
> First, although I set ads-pwdmustchange: TRUE, I was able to log in, I 
> don't know if that's normal.
> Then, when I tried to update the password, I got the following error:
> ------------
> [16:04:44] ERROR 
> [org.apache.directory.server.ldap.handlers.BindHandler] -
> ERR_162 Bind error : Only LDAP v3 is supported.
> [16:04:44] ERROR 
> [org.apache.directory.server.ldap.handlers.UnbindHandler]
> - ERR_169 failed to unbind session properly
>
> ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler] - 
> ERR_169 failed to unbind session properly
> org.apache.directory.shared.ldap.model.exception.LdapNoSuchObjectException:
> ERR_268 Cannot find a partition for
> at
>
> org.apache.directory.server.core.shared.partition.DefaultPartitionNexu
> s.getPartition(DefaultPartitionNexus.java:979)
> at
>
> org.apache.directory.server.core.shared.partition.DefaultPartitionNexu
> s.unbind(DefaultPartitionNexus.java:847)
> at
>
> org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unb
> ind(BaseInterceptor.java:267)
> at
>
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(
> BaseInterceptor.java:712)
> at
>
> org.apache.directory.server.core.authn.AuthenticationInterceptor.unbin
> d(AuthenticationInterceptor.java:1129)
> at
>
> org.apache.directory.server.core.DefaultOperationManager.unbind(Defaul
> tOperationManager.java:1050)
> at
>
> org.apache.directory.server.core.shared.DefaultCoreSession.unbind(Defa
> ultCoreSession.java:1107)
> at
>
> org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindH
> andler.java:48)
> at
>
> org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindH
> andler.java:37)
> at
>
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMes
> sage(LdapRequestHandler.java:221)
> at
>
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMes
> sage(LdapRequestHandler.java:56)
> at
>
> org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(Demuxi
> ngIoHandler.java:232)
> at
>
> org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(L
> dapProtocolHandler.java:209)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messa
> geReceived(DefaultIoFilterChain.java:716)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageR
> eceived(DefaultIoFilterChain.java:434)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(Defa
> ultIoFilterChain.java:46)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.mess
> ageReceived(DefaultIoFilterChain.java:796)
> at
> org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java
> :75) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
> at
>
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run
> Task(UnorderedThreadPoolExecutor.java:480)
> at
>
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run
> (UnorderedThreadPoolExecutor.java:434)
> at java.lang.Thread.run(Thread.java:662)
> ---------------------
>
> I don't know if this helps, but if I try the same thing with OpenDJ, 
> it works, the password is updated, so maybe there is some clue on how 
> openam deals with the password field.
>
>
> Thanks again to everyone
>
>
> On Thu, Jan 31, 2013 at 3:29 PM, <Carlo.Accorsi@ibs-ag.com> wrote:
>
> > To Karin's point, you need a password policy entry, then the user 
> > references the policy via the pwdPolicySubEntry attribute
> >
> > Here's an example policy that expires the password after two minutes.
> >
> > dn:
> > ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationI
> > nt erceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > objectclass: top
> > objectclass: ads-base
> > objectclass: ads-passwordPolicy
> > ads-pwdattribute: userPassword
> > ads-pwdid: test
> > ads-enabled: TRUE
> > ads-pwdallowuserchange: TRUE
> > ads-pwdcheckquality: 1
> > ads-pwdexpirewarning: 60
> > ads-pwdfailurecountinterval: 30
> > ads-pwdgraceauthnlimit: 3
> > ads-pwdgraceexpire: 0
> > ads-pwdinhistory: 5
> > ads-pwdlockout: TRUE
> > ads-pwdlockoutduration: 0
> > ads-pwdmaxage: 120
> > ads-pwdmaxdelay: 0
> > ads-pwdmaxfailure: 5
> > ads-pwdmaxidle: 0
> > ads-pwdmaxlength: 0
> > ads-pwdminage: 0
> > ads-pwdmindelay: 0
> > ads-pwdminlength: 5
> > ads-pwdmustchange: TRUE
> > ads-pwdsafemodify: FALSE
> >
> >
> > You user would then look like this, referencing the policy:
> >
> > dn: uid=user1,ou=people,dc=example,dc=com
> >  objectClass: organizationalPerson
> >  objectClass: person
> >  objectClass: inetOrgPerson
> >  objectClass: top
> >  cn: user1
> >  sn: user1
> >  uid: user1
> >  userPassword::
> > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9PQ==
> >  pwdPolicySubEntry:
> > ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationI
> > nt erceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> >
> >
> >
> > -----Original Message-----
> > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > Sent: Thursday, January 31, 2013 8:36 AM
> > To: users@directory.apache.org
> > Cc: elecharny@apache.org
> > Subject: Re: [ApacheDS] Error 56
> >
> > Hi Carlo, I changed the value and it continues to fail.
> >
> > Please remember that the login process works, but the change 
> > password process fail. Maybe the sso server encrypts the entered 
> > password in a different way, but when logging in, it uses the same process as apacheds.
> >
> > I'm trying to read and understand a little bit what's going on in 
> > the backend...
> >
> > Thanks again
> >
> >
> > On Thu, Jan 31, 2013 at 1:19 PM, <Carlo.Accorsi@ibs-ag.com> wrote:
> >
> > > Hi, the case differences between your policy definition of the 
> > > password attribute and the actual name 'userpassword' might be 
> > > causing a
> > problem.
> > >
> > > pwdAttribute: userPassword
> > >
> > > attribute name 'userpassword'
> > >
> > >
> > > -----Original Message-----
> > > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > > Sent: Thursday, January 31, 2013 5:14 AM
> > > To: users@directory.apache.org; elecharny@apache.org
> > > Subject: Re: [ApacheDS] Error 56
> > >
> > > Hi Emmanuel,
> > >
> > > Here's the user full profile, according to apache directory studio:
> > > ----
> > > dn: uid=user1,ou=people,dc=example,dc=com
> > > objectClass: organizationalPerson
> > > objectClass: person
> > > objectClass: pwdPolicy
> > > objectClass: inetOrgPerson
> > > objectClass: top
> > > cn: user1
> > > pwdAttribute: userPassword
> > > sn: user1
> > > pwdAllowUserChange: true
> > > pwdMustChange: true
> > > uid: user1
> > > userpassword::
> > > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P
> > >  Q==
> > > createTimestamp: 20130129134743Z
> > > creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > > entryCSN: 20130130121851.729000Z#000000#000#000000
> > > entryParentId: 4
> > > entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi
> > > modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > > modifyTimestamp: 20130130121851Z
> > > pwdHistory::
> > > MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > >  yI2NHRnpjM2R2Y21RPQ==
> > > pwdHistory::
> > > MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > >  yI2NHRnpjM2R2Y21ReA==
> > > pwdHistory::
> > > MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > >  yI2NHRnpjM2R2Y21Reg==
> > > pwdHistory::
> > > MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > >  yI2NHRnpjM2R2Y21RMA==
> > > pwdHistory::
> > > MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > >  yI2NHRnpjM2R2Y21RMQ==
> > > pwdReset: true
> > > ----------
> > >
> > > the user password is: password5.
> > > I'm trying to change it to: password6 (not used before)
> > >
> > >
> > > If I disable the pwdReset flag, the user logs properly to the 
> > > system, so the password is the correct one.
> > > Thanks
> > >
> > >
> > > On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel Lécharny 
> > > <elecharny@gmail.com
> > > >wrote:
> > >
> > > > Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> > > > > Hi Emanuel, thanks for your answer.
> > > > >
> > > > > I'm using apacheds-2.0.0-M9.
> > > > >
> > > > > The modify request comes from openam 10.0.1, a sso server that 
> > > > > gives you the option to reset the user password when pwdReset 
> > > > > in pwdPolicy
> > > is true.
> > > > >
> > > > > Is there some specific clue that I can give you here?
> > > >
> > > > AFAICT, the only reason to get this reason is that the value you 
> > > > are trying to remove is not present in the atribute. Like, say, 
> > > > you want to remove 'secret' when the password is 'magic' or 
> > > > anything but
> > 'secret'.
> > > >
> > > > What would help is to provide the entry with all its attributes, 
> > > > so that we can compare with the modification you want to apply 
> > > > (of course, be careful to 'anonymize' the passwords :)
> > > >
> > > > Another possibility - but unlikely - is that we have a bug in 
> > > > teh way we check for the presence of a value in a binary AttributeType.
> > > >
> > > > --
> > > > Regards,
> > > > Cordialement,
> > > > Emmanuel Lécharny
> > > > www.iktek.com
> > > >
> > > >
> > >
> >
>

Mime
View raw message