directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patricio Demitrio <pdemit...@scoop-gmbh.de>
Subject Re: [ApacheDS] Error 56
Date Thu, 31 Jan 2013 15:14:39 GMT
Thank you all for your big help.

Kiran: I am using openam

I did exactly as told in the previous mail.

The error now is much different.
First, although I set ads-pwdmustchange: TRUE, I was able to log in, I
don't know if that's normal.
Then, when I tried to update the password, I got the following error:
------------
[16:04:44] ERROR [org.apache.directory.server.ldap.handlers.BindHandler] -
ERR_162 Bind error : Only LDAP v3 is supported.
[16:04:44] ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler]
- ERR_169 failed to unbind session properly

ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler] - ERR_169
failed to unbind session properly
org.apache.directory.shared.ldap.model.exception.LdapNoSuchObjectException:
ERR_268 Cannot find a partition for
at
org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.getPartition(DefaultPartitionNexus.java:979)
at
org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.unbind(DefaultPartitionNexus.java:847)
at
org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unbind(BaseInterceptor.java:267)
at
org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:712)
at
org.apache.directory.server.core.authn.AuthenticationInterceptor.unbind(AuthenticationInterceptor.java:1129)
at
org.apache.directory.server.core.DefaultOperationManager.unbind(DefaultOperationManager.java:1050)
at
org.apache.directory.server.core.shared.DefaultCoreSession.unbind(DefaultCoreSession.java:1107)
at
org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindHandler.java:48)
at
org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindHandler.java:37)
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:221)
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
at
org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:232)
at
org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:209)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
at
org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:75)
at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:480)
at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:434)
at java.lang.Thread.run(Thread.java:662)
---------------------

I don't know if this helps, but if I try the same thing with OpenDJ, it
works, the password is updated, so maybe there is some clue on how openam
deals with the password field.


Thanks again to everyone


On Thu, Jan 31, 2013 at 3:29 PM, <Carlo.Accorsi@ibs-ag.com> wrote:

> To Karin's point, you need a password policy entry, then the user
> references the policy via the pwdPolicySubEntry attribute
>
> Here's an example policy that expires the password after two minutes.
>
> dn:
> ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> objectclass: top
> objectclass: ads-base
> objectclass: ads-passwordPolicy
> ads-pwdattribute: userPassword
> ads-pwdid: test
> ads-enabled: TRUE
> ads-pwdallowuserchange: TRUE
> ads-pwdcheckquality: 1
> ads-pwdexpirewarning: 60
> ads-pwdfailurecountinterval: 30
> ads-pwdgraceauthnlimit: 3
> ads-pwdgraceexpire: 0
> ads-pwdinhistory: 5
> ads-pwdlockout: TRUE
> ads-pwdlockoutduration: 0
> ads-pwdmaxage: 120
> ads-pwdmaxdelay: 0
> ads-pwdmaxfailure: 5
> ads-pwdmaxidle: 0
> ads-pwdmaxlength: 0
> ads-pwdminage: 0
> ads-pwdmindelay: 0
> ads-pwdminlength: 5
> ads-pwdmustchange: TRUE
> ads-pwdsafemodify: FALSE
>
>
> You user would then look like this, referencing the policy:
>
> dn: uid=user1,ou=people,dc=example,dc=com
>  objectClass: organizationalPerson
>  objectClass: person
>  objectClass: inetOrgPerson
>  objectClass: top
>  cn: user1
>  sn: user1
>  uid: user1
>  userPassword::
> e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9PQ==
>  pwdPolicySubEntry:
> ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>
>
>
> -----Original Message-----
> From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> Sent: Thursday, January 31, 2013 8:36 AM
> To: users@directory.apache.org
> Cc: elecharny@apache.org
> Subject: Re: [ApacheDS] Error 56
>
> Hi Carlo, I changed the value and it continues to fail.
>
> Please remember that the login process works, but the change password
> process fail. Maybe the sso server encrypts the entered password in a
> different way, but when logging in, it uses the same process as apacheds.
>
> I'm trying to read and understand a little bit what's going on in the
> backend...
>
> Thanks again
>
>
> On Thu, Jan 31, 2013 at 1:19 PM, <Carlo.Accorsi@ibs-ag.com> wrote:
>
> > Hi, the case differences between your policy definition of the
> > password attribute and the actual name 'userpassword' might be causing a
> problem.
> >
> > pwdAttribute: userPassword
> >
> > attribute name 'userpassword'
> >
> >
> > -----Original Message-----
> > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > Sent: Thursday, January 31, 2013 5:14 AM
> > To: users@directory.apache.org; elecharny@apache.org
> > Subject: Re: [ApacheDS] Error 56
> >
> > Hi Emmanuel,
> >
> > Here's the user full profile, according to apache directory studio:
> > ----
> > dn: uid=user1,ou=people,dc=example,dc=com
> > objectClass: organizationalPerson
> > objectClass: person
> > objectClass: pwdPolicy
> > objectClass: inetOrgPerson
> > objectClass: top
> > cn: user1
> > pwdAttribute: userPassword
> > sn: user1
> > pwdAllowUserChange: true
> > pwdMustChange: true
> > uid: user1
> > userpassword::
> > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P
> >  Q==
> > createTimestamp: 20130129134743Z
> > creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > entryCSN: 20130130121851.729000Z#000000#000#000000
> > entryParentId: 4
> > entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi
> > modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > modifyTimestamp: 20130130121851Z
> > pwdHistory::
> > MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> >  yI2NHRnpjM2R2Y21RPQ==
> > pwdHistory::
> > MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> >  yI2NHRnpjM2R2Y21ReA==
> > pwdHistory::
> > MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> >  yI2NHRnpjM2R2Y21Reg==
> > pwdHistory::
> > MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> >  yI2NHRnpjM2R2Y21RMA==
> > pwdHistory::
> > MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> >  yI2NHRnpjM2R2Y21RMQ==
> > pwdReset: true
> > ----------
> >
> > the user password is: password5.
> > I'm trying to change it to: password6 (not used before)
> >
> >
> > If I disable the pwdReset flag, the user logs properly to the system,
> > so the password is the correct one.
> > Thanks
> >
> >
> > On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel Lécharny
> > <elecharny@gmail.com
> > >wrote:
> >
> > > Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> > > > Hi Emanuel, thanks for your answer.
> > > >
> > > > I'm using apacheds-2.0.0-M9.
> > > >
> > > > The modify request comes from openam 10.0.1, a sso server that
> > > > gives you the option to reset the user password when pwdReset in
> > > > pwdPolicy
> > is true.
> > > >
> > > > Is there some specific clue that I can give you here?
> > >
> > > AFAICT, the only reason to get this reason is that the value you are
> > > trying to remove is not present in the atribute. Like, say, you want
> > > to remove 'secret' when the password is 'magic' or anything but
> 'secret'.
> > >
> > > What would help is to provide the entry with all its attributes, so
> > > that we can compare with the modification you want to apply (of
> > > course, be careful to 'anonymize' the passwords :)
> > >
> > > Another possibility - but unlikely - is that we have a bug in teh
> > > way we check for the presence of a value in a binary AttributeType.
> > >
> > > --
> > > Regards,
> > > Cordialement,
> > > Emmanuel Lécharny
> > > www.iktek.com
> > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message