directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patricio Demitrio <pdemit...@scoop-gmbh.de>
Subject Re: [ApacheDS] Error 56
Date Thu, 31 Jan 2013 16:12:10 GMT
Hi Carlo,
unfortunately, after restarting the server the user was not even able to
log in.

I'm almost sure this has something to do with how openam handles the user,
and here's why:

- I created a clean user, only with cn, sn and userpassword. The user is
able to log in.
- If the user wants to change his password, it fails as described before.
- If the admin logs in, and performs a forced password change (just typing
the new password, without entering the previous one), the modify is
successful.

So in the end, the error is related to the validation of the password while
trying to change it. This problem goes beyond pwdPolicy or
ads-passwordPolicy

I'll try my best to solve this and let you know

thanks to everyone


On Thu, Jan 31, 2013 at 4:36 PM, <Carlo.Accorsi@ibs-ag.com> wrote:

> One last thing. I've found that adding a password policy entry, or making
> changes to and existing policy require a restart of the server. This was my
> experience in pre M9 builds but that may be different now.
> There's probably some interval in which changes to policy settings occur
> without restarting but for testing purposes I restart the server after
> password policy changes of any kind.
>
>
> -----Original Message-----
> From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> Sent: Thursday, January 31, 2013 10:15 AM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS] Error 56
>
> Thank you all for your big help.
>
> Kiran: I am using openam
>
> I did exactly as told in the previous mail.
>
> The error now is much different.
> First, although I set ads-pwdmustchange: TRUE, I was able to log in, I
> don't know if that's normal.
> Then, when I tried to update the password, I got the following error:
> ------------
> [16:04:44] ERROR [org.apache.directory.server.ldap.handlers.BindHandler] -
> ERR_162 Bind error : Only LDAP v3 is supported.
> [16:04:44] ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler]
> - ERR_169 failed to unbind session properly
>
> ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler] - ERR_169
> failed to unbind session properly
> org.apache.directory.shared.ldap.model.exception.LdapNoSuchObjectException:
> ERR_268 Cannot find a partition for
> at
>
> org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.getPartition(DefaultPartitionNexus.java:979)
> at
>
> org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.unbind(DefaultPartitionNexus.java:847)
> at
>
> org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unbind(BaseInterceptor.java:267)
> at
>
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:712)
> at
>
> org.apache.directory.server.core.authn.AuthenticationInterceptor.unbind(AuthenticationInterceptor.java:1129)
> at
>
> org.apache.directory.server.core.DefaultOperationManager.unbind(DefaultOperationManager.java:1050)
> at
>
> org.apache.directory.server.core.shared.DefaultCoreSession.unbind(DefaultCoreSession.java:1107)
> at
>
> org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindHandler.java:48)
> at
>
> org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindHandler.java:37)
> at
>
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:221)
> at
>
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
> at
>
> org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:232)
> at
>
> org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:209)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> at
> org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:75)
> at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
> at
>
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:480)
> at
>
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:434)
> at java.lang.Thread.run(Thread.java:662)
> ---------------------
>
> I don't know if this helps, but if I try the same thing with OpenDJ, it
> works, the password is updated, so maybe there is some clue on how openam
> deals with the password field.
>
>
> Thanks again to everyone
>
>
> On Thu, Jan 31, 2013 at 3:29 PM, <Carlo.Accorsi@ibs-ag.com> wrote:
>
> > To Karin's point, you need a password policy entry, then the user
> > references the policy via the pwdPolicySubEntry attribute
> >
> > Here's an example policy that expires the password after two minutes.
> >
> > dn:
> > ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationInt
> > erceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > objectclass: top
> > objectclass: ads-base
> > objectclass: ads-passwordPolicy
> > ads-pwdattribute: userPassword
> > ads-pwdid: test
> > ads-enabled: TRUE
> > ads-pwdallowuserchange: TRUE
> > ads-pwdcheckquality: 1
> > ads-pwdexpirewarning: 60
> > ads-pwdfailurecountinterval: 30
> > ads-pwdgraceauthnlimit: 3
> > ads-pwdgraceexpire: 0
> > ads-pwdinhistory: 5
> > ads-pwdlockout: TRUE
> > ads-pwdlockoutduration: 0
> > ads-pwdmaxage: 120
> > ads-pwdmaxdelay: 0
> > ads-pwdmaxfailure: 5
> > ads-pwdmaxidle: 0
> > ads-pwdmaxlength: 0
> > ads-pwdminage: 0
> > ads-pwdmindelay: 0
> > ads-pwdminlength: 5
> > ads-pwdmustchange: TRUE
> > ads-pwdsafemodify: FALSE
> >
> >
> > You user would then look like this, referencing the policy:
> >
> > dn: uid=user1,ou=people,dc=example,dc=com
> >  objectClass: organizationalPerson
> >  objectClass: person
> >  objectClass: inetOrgPerson
> >  objectClass: top
> >  cn: user1
> >  sn: user1
> >  uid: user1
> >  userPassword::
> > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9PQ==
> >  pwdPolicySubEntry:
> > ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationInt
> > erceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> >
> >
> >
> > -----Original Message-----
> > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > Sent: Thursday, January 31, 2013 8:36 AM
> > To: users@directory.apache.org
> > Cc: elecharny@apache.org
> > Subject: Re: [ApacheDS] Error 56
> >
> > Hi Carlo, I changed the value and it continues to fail.
> >
> > Please remember that the login process works, but the change password
> > process fail. Maybe the sso server encrypts the entered password in a
> > different way, but when logging in, it uses the same process as apacheds.
> >
> > I'm trying to read and understand a little bit what's going on in the
> > backend...
> >
> > Thanks again
> >
> >
> > On Thu, Jan 31, 2013 at 1:19 PM, <Carlo.Accorsi@ibs-ag.com> wrote:
> >
> > > Hi, the case differences between your policy definition of the
> > > password attribute and the actual name 'userpassword' might be
> > > causing a
> > problem.
> > >
> > > pwdAttribute: userPassword
> > >
> > > attribute name 'userpassword'
> > >
> > >
> > > -----Original Message-----
> > > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > > Sent: Thursday, January 31, 2013 5:14 AM
> > > To: users@directory.apache.org; elecharny@apache.org
> > > Subject: Re: [ApacheDS] Error 56
> > >
> > > Hi Emmanuel,
> > >
> > > Here's the user full profile, according to apache directory studio:
> > > ----
> > > dn: uid=user1,ou=people,dc=example,dc=com
> > > objectClass: organizationalPerson
> > > objectClass: person
> > > objectClass: pwdPolicy
> > > objectClass: inetOrgPerson
> > > objectClass: top
> > > cn: user1
> > > pwdAttribute: userPassword
> > > sn: user1
> > > pwdAllowUserChange: true
> > > pwdMustChange: true
> > > uid: user1
> > > userpassword::
> > > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P
> > >  Q==
> > > createTimestamp: 20130129134743Z
> > > creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > > entryCSN: 20130130121851.729000Z#000000#000#000000
> > > entryParentId: 4
> > > entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi
> > > modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > > modifyTimestamp: 20130130121851Z
> > > pwdHistory::
> > > MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > >  yI2NHRnpjM2R2Y21RPQ==
> > > pwdHistory::
> > > MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > >  yI2NHRnpjM2R2Y21ReA==
> > > pwdHistory::
> > > MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > >  yI2NHRnpjM2R2Y21Reg==
> > > pwdHistory::
> > > MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > >  yI2NHRnpjM2R2Y21RMA==
> > > pwdHistory::
> > > MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > >  yI2NHRnpjM2R2Y21RMQ==
> > > pwdReset: true
> > > ----------
> > >
> > > the user password is: password5.
> > > I'm trying to change it to: password6 (not used before)
> > >
> > >
> > > If I disable the pwdReset flag, the user logs properly to the
> > > system, so the password is the correct one.
> > > Thanks
> > >
> > >
> > > On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel Lécharny
> > > <elecharny@gmail.com
> > > >wrote:
> > >
> > > > Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> > > > > Hi Emanuel, thanks for your answer.
> > > > >
> > > > > I'm using apacheds-2.0.0-M9.
> > > > >
> > > > > The modify request comes from openam 10.0.1, a sso server that
> > > > > gives you the option to reset the user password when pwdReset in
> > > > > pwdPolicy
> > > is true.
> > > > >
> > > > > Is there some specific clue that I can give you here?
> > > >
> > > > AFAICT, the only reason to get this reason is that the value you
> > > > are trying to remove is not present in the atribute. Like, say,
> > > > you want to remove 'secret' when the password is 'magic' or
> > > > anything but
> > 'secret'.
> > > >
> > > > What would help is to provide the entry with all its attributes,
> > > > so that we can compare with the modification you want to apply (of
> > > > course, be careful to 'anonymize' the passwords :)
> > > >
> > > > Another possibility - but unlikely - is that we have a bug in teh
> > > > way we check for the presence of a value in a binary AttributeType.
> > > >
> > > > --
> > > > Regards,
> > > > Cordialement,
> > > > Emmanuel Lécharny
> > > > www.iktek.com
> > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message