From users-return-5060-apmail-directory-users-archive=directory.apache.org@directory.apache.org Thu Jan 31 15:15:08 2013 Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BF29FE231 for ; Thu, 31 Jan 2013 15:15:08 +0000 (UTC) Received: (qmail 77619 invoked by uid 500); 31 Jan 2013 15:15:08 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 77325 invoked by uid 500); 31 Jan 2013 15:15:08 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 77275 invoked by uid 99); 31 Jan 2013 15:15:07 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 Jan 2013 15:15:07 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of pdemitrio@scoop-gmbh.de designates 74.125.82.52 as permitted sender) Received: from [74.125.82.52] (HELO mail-wg0-f52.google.com) (74.125.82.52) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 Jan 2013 15:15:00 +0000 Received: by mail-wg0-f52.google.com with SMTP id 12so2128184wgh.19 for ; Thu, 31 Jan 2013 07:14:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type:x-gm-message-state; bh=5/h1I7+FOVX4LuuIciWvny0FWFfzHT4SipDI0d15Bls=; b=HJUF03vDKrCudhspDSPky66yKLO4aGcvaUgNe7YFRqBXw2hZVB1KcByS0zkt2mpO/R xCSna77zcr6l7BBaBuWeFUtXewtDqOi5e95GxYK6L8ceQ8SR4+3C36y0lCcqCMJP+Ti0 v3F8018gTkTJQSKeB95N0axDYs+IDUwJgJ8/5O+m5IGRf6EHgb5qLNdwQDd/wU4R6RP2 6yAMud+HrjGQEsba67Oi2yFsu8dotAcCM5Qvv6MqgKIQfzD/C8pJujd9pctV4CQWsN0/ 1ekpwiAh80LK6EEn1GonWmLvBy35uhVrZmBjUbnRl98ny2WQP8wMFu7iMuz6Noob2pIi 3yJQ== MIME-Version: 1.0 X-Received: by 10.195.12.42 with SMTP id en10mr16182785wjd.24.1359645280076; Thu, 31 Jan 2013 07:14:40 -0800 (PST) Received: by 10.194.170.170 with HTTP; Thu, 31 Jan 2013 07:14:39 -0800 (PST) In-Reply-To: <2BE7E81B77921F43A6A273C2DF2FA6A43CD7B98443@IBSMBX.ibs-ag.com> References: <510A3CF0.8080102@gmail.com> <2BE7E81B77921F43A6A273C2DF2FA6A43CD7B983AA@IBSMBX.ibs-ag.com> <2BE7E81B77921F43A6A273C2DF2FA6A43CD7B98443@IBSMBX.ibs-ag.com> Date: Thu, 31 Jan 2013 16:14:39 +0100 Message-ID: Subject: Re: [ApacheDS] Error 56 From: Patricio Demitrio To: users@directory.apache.org Content-Type: multipart/alternative; boundary=047d7bfd017cf0838804d497151a X-Gm-Message-State: ALoCoQlL76Sw6KpRh1R5KsmcKzPAGf8s9h29CFEPYYqTwguYXkJE+9USXuRawPzrrBb5RAu+srlE X-Virus-Checked: Checked by ClamAV on apache.org --047d7bfd017cf0838804d497151a Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Thank you all for your big help. Kiran: I am using openam I did exactly as told in the previous mail. The error now is much different. First, although I set ads-pwdmustchange: TRUE, I was able to log in, I don't know if that's normal. Then, when I tried to update the password, I got the following error: ------------ [16:04:44] ERROR [org.apache.directory.server.ldap.handlers.BindHandler] - ERR_162 Bind error : Only LDAP v3 is supported. [16:04:44] ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler] - ERR_169 failed to unbind session properly ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler] - ERR_169 failed to unbind session properly org.apache.directory.shared.ldap.model.exception.LdapNoSuchObjectException: ERR_268 Cannot find a partition for at org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.get= Partition(DefaultPartitionNexus.java:979) at org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.unb= ind(DefaultPartitionNexus.java:847) at org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unbind(B= aseInterceptor.java:267) at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseI= nterceptor.java:712) at org.apache.directory.server.core.authn.AuthenticationInterceptor.unbind(Aut= henticationInterceptor.java:1129) at org.apache.directory.server.core.DefaultOperationManager.unbind(DefaultOper= ationManager.java:1050) at org.apache.directory.server.core.shared.DefaultCoreSession.unbind(DefaultCo= reSession.java:1107) at org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindHandle= r.java:48) at org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindHandle= r.java:37) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(= LdapRequestHandler.java:221) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(= LdapRequestHandler.java:56) at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoH= andler.java:232) at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapPr= otocolHandler.java:209) at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageRec= eived(DefaultIoFilterChain.java:716) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceiv= ed(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIo= FilterChain.java:46) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageRe= ceived(DefaultIoFilterChain.java:796) at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:75) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(= UnorderedThreadPoolExecutor.java:480) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(Unor= deredThreadPoolExecutor.java:434) at java.lang.Thread.run(Thread.java:662) --------------------- I don't know if this helps, but if I try the same thing with OpenDJ, it works, the password is updated, so maybe there is some clue on how openam deals with the password field. Thanks again to everyone On Thu, Jan 31, 2013 at 3:29 PM, wrote: > To Karin's point, you need a password policy entry, then the user > references the policy via the pwdPolicySubEntry attribute > > Here's an example policy that expires the password after two minutes. > > dn: > ads-pwdId=3Dtest,ou=3DpasswordPolicies,ads-interceptorId=3Dauthentication= Interceptor,ou=3Dinterceptors,ads-directoryServiceId=3Ddefault,ou=3Dconfig > objectclass: top > objectclass: ads-base > objectclass: ads-passwordPolicy > ads-pwdattribute: userPassword > ads-pwdid: test > ads-enabled: TRUE > ads-pwdallowuserchange: TRUE > ads-pwdcheckquality: 1 > ads-pwdexpirewarning: 60 > ads-pwdfailurecountinterval: 30 > ads-pwdgraceauthnlimit: 3 > ads-pwdgraceexpire: 0 > ads-pwdinhistory: 5 > ads-pwdlockout: TRUE > ads-pwdlockoutduration: 0 > ads-pwdmaxage: 120 > ads-pwdmaxdelay: 0 > ads-pwdmaxfailure: 5 > ads-pwdmaxidle: 0 > ads-pwdmaxlength: 0 > ads-pwdminage: 0 > ads-pwdmindelay: 0 > ads-pwdminlength: 5 > ads-pwdmustchange: TRUE > ads-pwdsafemodify: FALSE > > > You user would then look like this, referencing the policy: > > dn: uid=3Duser1,ou=3Dpeople,dc=3Dexample,dc=3Dcom > objectClass: organizationalPerson > objectClass: person > objectClass: inetOrgPerson > objectClass: top > cn: user1 > sn: user1 > uid: user1 > userPassword:: > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9PQ=3D=3D > pwdPolicySubEntry: > ads-pwdId=3Dtest,ou=3DpasswordPolicies,ads-interceptorId=3Dauthentication= Interceptor,ou=3Dinterceptors,ads-directoryServiceId=3Ddefault,ou=3Dconfig > > > > -----Original Message----- > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de] > Sent: Thursday, January 31, 2013 8:36 AM > To: users@directory.apache.org > Cc: elecharny@apache.org > Subject: Re: [ApacheDS] Error 56 > > Hi Carlo, I changed the value and it continues to fail. > > Please remember that the login process works, but the change password > process fail. Maybe the sso server encrypts the entered password in a > different way, but when logging in, it uses the same process as apacheds. > > I'm trying to read and understand a little bit what's going on in the > backend... > > Thanks again > > > On Thu, Jan 31, 2013 at 1:19 PM, wrote: > > > Hi, the case differences between your policy definition of the > > password attribute and the actual name 'userpassword' might be causing = a > problem. > > > > pwdAttribute: userPassword > > > > attribute name 'userpassword' > > > > > > -----Original Message----- > > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de] > > Sent: Thursday, January 31, 2013 5:14 AM > > To: users@directory.apache.org; elecharny@apache.org > > Subject: Re: [ApacheDS] Error 56 > > > > Hi Emmanuel, > > > > Here's the user full profile, according to apache directory studio: > > ---- > > dn: uid=3Duser1,ou=3Dpeople,dc=3Dexample,dc=3Dcom > > objectClass: organizationalPerson > > objectClass: person > > objectClass: pwdPolicy > > objectClass: inetOrgPerson > > objectClass: top > > cn: user1 > > pwdAttribute: userPassword > > sn: user1 > > pwdAllowUserChange: true > > pwdMustChange: true > > uid: user1 > > userpassword:: > > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P > > Q=3D=3D > > createTimestamp: 20130129134743Z > > creatorsName: 0.9.2342.19200300.100.1.1=3Dadmin,2.5.4.11=3Dsystem > > entryCSN: 20130130121851.729000Z#000000#000#000000 > > entryParentId: 4 > > entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi > > modifiersName: 0.9.2342.19200300.100.1.1=3Dadmin,2.5.4.11=3Dsystem > > modifyTimestamp: 20130130121851Z > > pwdHistory:: > > MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE > > yI2NHRnpjM2R2Y21RPQ=3D=3D > > pwdHistory:: > > MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE > > yI2NHRnpjM2R2Y21ReA=3D=3D > > pwdHistory:: > > MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE > > yI2NHRnpjM2R2Y21Reg=3D=3D > > pwdHistory:: > > MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE > > yI2NHRnpjM2R2Y21RMA=3D=3D > > pwdHistory:: > > MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE > > yI2NHRnpjM2R2Y21RMQ=3D=3D > > pwdReset: true > > ---------- > > > > the user password is: password5. > > I'm trying to change it to: password6 (not used before) > > > > > > If I disable the pwdReset flag, the user logs properly to the system, > > so the password is the correct one. > > Thanks > > > > > > On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel L=E9charny > > > >wrote: > > > > > Le 1/31/13 10:27 AM, Patricio Demitrio a =E9crit : > > > > Hi Emanuel, thanks for your answer. > > > > > > > > I'm using apacheds-2.0.0-M9. > > > > > > > > The modify request comes from openam 10.0.1, a sso server that > > > > gives you the option to reset the user password when pwdReset in > > > > pwdPolicy > > is true. > > > > > > > > Is there some specific clue that I can give you here? > > > > > > AFAICT, the only reason to get this reason is that the value you are > > > trying to remove is not present in the atribute. Like, say, you want > > > to remove 'secret' when the password is 'magic' or anything but > 'secret'. > > > > > > What would help is to provide the entry with all its attributes, so > > > that we can compare with the modification you want to apply (of > > > course, be careful to 'anonymize' the passwords :) > > > > > > Another possibility - but unlikely - is that we have a bug in teh > > > way we check for the presence of a value in a binary AttributeType. > > > > > > -- > > > Regards, > > > Cordialement, > > > Emmanuel L=E9charny > > > www.iktek.com > > > > > > > > > --047d7bfd017cf0838804d497151a--