directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patricio Demitrio <pdemit...@scoop-gmbh.de>
Subject Re: [ApacheDS] Error 56
Date Fri, 01 Feb 2013 09:45:47 GMT
Hi Carlo, I got an answer from the openam team.
Apparently openam is using ldapv2 to change the password, and that is where
the problem probably resides.

So I'm guessing I'm reaching a dead end here, unless I configure apacheds
to work with ldapv2, but I don't know if that's an option.

Is it?

Thanks
Patricio


On Thu, Jan 31, 2013 at 11:11 PM, <Carlo.Accorsi@ibs-ag.com> wrote:

> Not sure.. I would verify that using Apache Studio, and connecting with
> the user's credentials (not an admin) you can change his own password.
> If you can't, you've got a server config or password policy issue.
> If you can, your  ldap client many be configured incorrectly or is
> connecting with LDAP v2.
>
>
> -----Original Message-----
> From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> Sent: Thursday, January 31, 2013 11:12 AM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS] Error 56
>
> Hi Carlo,
> unfortunately, after restarting the server the user was not even able to
> log in.
>
> I'm almost sure this has something to do with how openam handles the user,
> and here's why:
>
> - I created a clean user, only with cn, sn and userpassword. The user is
> able to log in.
> - If the user wants to change his password, it fails as described before.
> - If the admin logs in, and performs a forced password change (just typing
> the new password, without entering the previous one), the modify is
> successful.
>
> So in the end, the error is related to the validation of the password
> while trying to change it. This problem goes beyond pwdPolicy or
> ads-passwordPolicy
>
> I'll try my best to solve this and let you know
>
> thanks to everyone
>
>
> On Thu, Jan 31, 2013 at 4:36 PM, <Carlo.Accorsi@ibs-ag.com> wrote:
>
> > One last thing. I've found that adding a password policy entry, or
> > making changes to and existing policy require a restart of the server.
> > This was my experience in pre M9 builds but that may be different now.
> > There's probably some interval in which changes to policy settings
> > occur without restarting but for testing purposes I restart the server
> > after password policy changes of any kind.
> >
> >
> > -----Original Message-----
> > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > Sent: Thursday, January 31, 2013 10:15 AM
> > To: users@directory.apache.org
> > Subject: Re: [ApacheDS] Error 56
> >
> > Thank you all for your big help.
> >
> > Kiran: I am using openam
> >
> > I did exactly as told in the previous mail.
> >
> > The error now is much different.
> > First, although I set ads-pwdmustchange: TRUE, I was able to log in, I
> > don't know if that's normal.
> > Then, when I tried to update the password, I got the following error:
> > ------------
> > [16:04:44] ERROR
> > [org.apache.directory.server.ldap.handlers.BindHandler] -
> > ERR_162 Bind error : Only LDAP v3 is supported.
> > [16:04:44] ERROR
> > [org.apache.directory.server.ldap.handlers.UnbindHandler]
> > - ERR_169 failed to unbind session properly
> >
> > ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler] -
> > ERR_169 failed to unbind session properly
> >
> org.apache.directory.shared.ldap.model.exception.LdapNoSuchObjectException:
> > ERR_268 Cannot find a partition for
> > at
> >
> > org.apache.directory.server.core.shared.partition.DefaultPartitionNexu
> > s.getPartition(DefaultPartitionNexus.java:979)
> > at
> >
> > org.apache.directory.server.core.shared.partition.DefaultPartitionNexu
> > s.unbind(DefaultPartitionNexus.java:847)
> > at
> >
> > org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unb
> > ind(BaseInterceptor.java:267)
> > at
> >
> > org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(
> > BaseInterceptor.java:712)
> > at
> >
> > org.apache.directory.server.core.authn.AuthenticationInterceptor.unbin
> > d(AuthenticationInterceptor.java:1129)
> > at
> >
> > org.apache.directory.server.core.DefaultOperationManager.unbind(Defaul
> > tOperationManager.java:1050)
> > at
> >
> > org.apache.directory.server.core.shared.DefaultCoreSession.unbind(Defa
> > ultCoreSession.java:1107)
> > at
> >
> > org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindH
> > andler.java:48)
> > at
> >
> > org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindH
> > andler.java:37)
> > at
> >
> > org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMes
> > sage(LdapRequestHandler.java:221)
> > at
> >
> > org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMes
> > sage(LdapRequestHandler.java:56)
> > at
> >
> > org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(Demuxi
> > ngIoHandler.java:232)
> > at
> >
> > org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(L
> > dapProtocolHandler.java:209)
> > at
> >
> > org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messa
> > geReceived(DefaultIoFilterChain.java:716)
> > at
> >
> > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageR
> > eceived(DefaultIoFilterChain.java:434)
> > at
> >
> > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(Defa
> > ultIoFilterChain.java:46)
> > at
> >
> > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.mess
> > ageReceived(DefaultIoFilterChain.java:796)
> > at
> > org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java
> > :75) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
> > at
> >
> > org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run
> > Task(UnorderedThreadPoolExecutor.java:480)
> > at
> >
> > org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run
> > (UnorderedThreadPoolExecutor.java:434)
> > at java.lang.Thread.run(Thread.java:662)
> > ---------------------
> >
> > I don't know if this helps, but if I try the same thing with OpenDJ,
> > it works, the password is updated, so maybe there is some clue on how
> > openam deals with the password field.
> >
> >
> > Thanks again to everyone
> >
> >
> > On Thu, Jan 31, 2013 at 3:29 PM, <Carlo.Accorsi@ibs-ag.com> wrote:
> >
> > > To Karin's point, you need a password policy entry, then the user
> > > references the policy via the pwdPolicySubEntry attribute
> > >
> > > Here's an example policy that expires the password after two minutes.
> > >
> > > dn:
> > > ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationI
> > > nt erceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > > objectclass: top
> > > objectclass: ads-base
> > > objectclass: ads-passwordPolicy
> > > ads-pwdattribute: userPassword
> > > ads-pwdid: test
> > > ads-enabled: TRUE
> > > ads-pwdallowuserchange: TRUE
> > > ads-pwdcheckquality: 1
> > > ads-pwdexpirewarning: 60
> > > ads-pwdfailurecountinterval: 30
> > > ads-pwdgraceauthnlimit: 3
> > > ads-pwdgraceexpire: 0
> > > ads-pwdinhistory: 5
> > > ads-pwdlockout: TRUE
> > > ads-pwdlockoutduration: 0
> > > ads-pwdmaxage: 120
> > > ads-pwdmaxdelay: 0
> > > ads-pwdmaxfailure: 5
> > > ads-pwdmaxidle: 0
> > > ads-pwdmaxlength: 0
> > > ads-pwdminage: 0
> > > ads-pwdmindelay: 0
> > > ads-pwdminlength: 5
> > > ads-pwdmustchange: TRUE
> > > ads-pwdsafemodify: FALSE
> > >
> > >
> > > You user would then look like this, referencing the policy:
> > >
> > > dn: uid=user1,ou=people,dc=example,dc=com
> > >  objectClass: organizationalPerson
> > >  objectClass: person
> > >  objectClass: inetOrgPerson
> > >  objectClass: top
> > >  cn: user1
> > >  sn: user1
> > >  uid: user1
> > >  userPassword::
> > > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9PQ==
> > >  pwdPolicySubEntry:
> > > ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationI
> > > nt erceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > > Sent: Thursday, January 31, 2013 8:36 AM
> > > To: users@directory.apache.org
> > > Cc: elecharny@apache.org
> > > Subject: Re: [ApacheDS] Error 56
> > >
> > > Hi Carlo, I changed the value and it continues to fail.
> > >
> > > Please remember that the login process works, but the change
> > > password process fail. Maybe the sso server encrypts the entered
> > > password in a different way, but when logging in, it uses the same
> process as apacheds.
> > >
> > > I'm trying to read and understand a little bit what's going on in
> > > the backend...
> > >
> > > Thanks again
> > >
> > >
> > > On Thu, Jan 31, 2013 at 1:19 PM, <Carlo.Accorsi@ibs-ag.com> wrote:
> > >
> > > > Hi, the case differences between your policy definition of the
> > > > password attribute and the actual name 'userpassword' might be
> > > > causing a
> > > problem.
> > > >
> > > > pwdAttribute: userPassword
> > > >
> > > > attribute name 'userpassword'
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > > > Sent: Thursday, January 31, 2013 5:14 AM
> > > > To: users@directory.apache.org; elecharny@apache.org
> > > > Subject: Re: [ApacheDS] Error 56
> > > >
> > > > Hi Emmanuel,
> > > >
> > > > Here's the user full profile, according to apache directory studio:
> > > > ----
> > > > dn: uid=user1,ou=people,dc=example,dc=com
> > > > objectClass: organizationalPerson
> > > > objectClass: person
> > > > objectClass: pwdPolicy
> > > > objectClass: inetOrgPerson
> > > > objectClass: top
> > > > cn: user1
> > > > pwdAttribute: userPassword
> > > > sn: user1
> > > > pwdAllowUserChange: true
> > > > pwdMustChange: true
> > > > uid: user1
> > > > userpassword::
> > > > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P
> > > >  Q==
> > > > createTimestamp: 20130129134743Z
> > > > creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > > > entryCSN: 20130130121851.729000Z#000000#000#000000
> > > > entryParentId: 4
> > > > entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi
> > > > modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > > > modifyTimestamp: 20130130121851Z
> > > > pwdHistory::
> > > > MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > >  yI2NHRnpjM2R2Y21RPQ==
> > > > pwdHistory::
> > > > MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > >  yI2NHRnpjM2R2Y21ReA==
> > > > pwdHistory::
> > > > MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > >  yI2NHRnpjM2R2Y21Reg==
> > > > pwdHistory::
> > > > MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > >  yI2NHRnpjM2R2Y21RMA==
> > > > pwdHistory::
> > > > MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > >  yI2NHRnpjM2R2Y21RMQ==
> > > > pwdReset: true
> > > > ----------
> > > >
> > > > the user password is: password5.
> > > > I'm trying to change it to: password6 (not used before)
> > > >
> > > >
> > > > If I disable the pwdReset flag, the user logs properly to the
> > > > system, so the password is the correct one.
> > > > Thanks
> > > >
> > > >
> > > > On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel Lécharny
> > > > <elecharny@gmail.com
> > > > >wrote:
> > > >
> > > > > Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> > > > > > Hi Emanuel, thanks for your answer.
> > > > > >
> > > > > > I'm using apacheds-2.0.0-M9.
> > > > > >
> > > > > > The modify request comes from openam 10.0.1, a sso server that
> > > > > > gives you the option to reset the user password when pwdReset
> > > > > > in pwdPolicy
> > > > is true.
> > > > > >
> > > > > > Is there some specific clue that I can give you here?
> > > > >
> > > > > AFAICT, the only reason to get this reason is that the value you
> > > > > are trying to remove is not present in the atribute. Like, say,
> > > > > you want to remove 'secret' when the password is 'magic' or
> > > > > anything but
> > > 'secret'.
> > > > >
> > > > > What would help is to provide the entry with all its attributes,
> > > > > so that we can compare with the modification you want to apply
> > > > > (of course, be careful to 'anonymize' the passwords :)
> > > > >
> > > > > Another possibility - but unlikely - is that we have a bug in
> > > > > teh way we check for the presence of a value in a binary
> AttributeType.
> > > > >
> > > > > --
> > > > > Regards,
> > > > > Cordialement,
> > > > > Emmanuel Lécharny
> > > > > www.iktek.com
> > > > >
> > > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message