directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: pwdHistory not validating properly (in custom server)
Date Sat, 27 Apr 2013 04:55:11 GMT
I have tested with M11 and couldn't reproduce the reported password history
error (entered different passwords)


On Fri, Apr 26, 2013 at 7:54 PM, Patricio Demitrio
<pdemitrio@scoop-gmbh.de>wrote:

> Im pretty sure, yes.
> When debugging, my interceptors listed are:
>
> [org.apache.directory.server.core.normalization.NormalizationInterceptor@4f8771a
> ,
> app.ldap.server.AuthenticationInterceptor2@54534e82,
> org.apache.directory.server.core.referral.ReferralInterceptor@2947640e,
> org.apache.directory.server.core.authz.AciAuthorizationInterceptor@df9e84e
> ,
>
> org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor@1202600d
> ,
>
> org.apache.directory.server.core.admin.AdministrativePointInterceptor@59effeb7
> ,
> org.apache.directory.server.core.exception.ExceptionInterceptor@1b3bce82,
> org.apache.directory.server.core.schema.SchemaInterceptor@7372c6c5,
>
> org.apache.directory.server.core.operational.OperationalAttributeInterceptor@7457eab9
> ,
>
> org.apache.directory.server.core.collective.CollectiveAttributeInterceptor@37f3535b
> ,
> org.apache.directory.server.core.subtree.SubentryInterceptor@47e5980f,
>  org.apache.directory.server.core.event.EventInterceptor@326225a9,
> org.apache.directory.server.core.trigger.TriggerInterceptor@49969416,
> org.apache.directory.server.core.changelog.ChangeLogInterceptor@3cd45618,
> org.apache.directory.server.core.journal.JournalInterceptor@186060db]
>
>
> ABout the canges you mentioned, is there something newer than M11? Or
> should I build something locally?
>
> Thanks
>
>
> On Fri, Apr 26, 2013 at 4:17 PM, Kiran Ayyagari <kayyagari@apache.org
> >wrote:
>
> > did you disable the default AuthenticationInterceptor?
> >
> >
> > On Fri, Apr 26, 2013 at 7:20 PM, Patricio Demitrio
> > <pdemitrio@scoop-gmbh.de>wrote:
> >
> > > Hi, I'm currently working with a custom M11 server, the only thing
> > > different is a custom implementation of AuthenticatorInterceptor.
> > >
> > > When, from apacheDS, I try to change the user password, two different
> > > things happen:
> > > - If there is no pwdHistory present, the update works, and the
> pwdHistory
> > > attribute is created.
> > > - If pwdHistory exists, it throws me an error, even though the password
> > is
> > > completely different.
> > >
> > > The error is:
> > >
> > > 2013.04.24 14:23:56,445 DEBUG [pool-4-thread-2]
> > > org.apache.directory.server.core.authn.AuthenticationInterceptor [] -
> > > Operation Context: ModifyContext for Dn 'uid=00000005,dc=2013.04.24
> > > 14:23:56,445
> > > DEBUG [pool-4-thread-2]
> > > org.apache.directory.server.core.authn.AuthenticationInterceptor [] -
> > > Operation Context: ModifyContext for Dn
> > 'uid=00000005,dc=company1,dc=com',
> > > modifications :
> > > Modification: replace
> > > , attribute : userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66
> 0x74
> > > 0x31 '
> > >
> > >
> > > 2013.04.24 14:23:56,446 DEBUG [pool-4-thread-2]
> > > org.apache.directory.server.ldap.handlers.LdapRequestHandler [] -
> > > CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST
> > > Message ID : 16
> > >     Modify Request
> > >         Object : 'uid=00000005,dc=company1,dc=com'
> > >             Modification[0]
> > >                 Operation :  replace
> > >                 Modification
> > > userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66 0x74 0x31 '
> > > org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcebfd3b
> :
> > > invalid reuse of password present in password history
> > > org.apache.directory.api.ldap.model.exception.LdapOperationException:
> > > invalid reuse of password present in password history
> > > at
> > >
> > >
> >
> org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:956)
> > >  at
> > >
> > >
> >
> app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168)
> > > --->>>> extends from AuthenticationInterceptor. No added behaviour
in
> > this
> > > example
> > >  at
> > >
> > >
> >
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577)
> > > at
> > >
> > >
> >
> org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:980)
> > >  at
> > >
> > >
> >
> app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168)
> > > at
> > >
> > >
> >
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577)
> > >  at
> > >
> > >
> >
> org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:223)
> > > at
> > >
> > >
> >
> org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:782)
> > >  at
> > >
> > >
> >
> org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:914)
> > > at
> > >
> > >
> >
> org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:897)
> > >  at
> > >
> > >
> >
> org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:56)
> > > at
> > >
> > >
> >
> org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:39)
> > >  at
> > >
> > >
> >
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207)
> > > at
> > >
> > >
> >
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
> > >  at
> > >
> > >
> >
> org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221)
> > > at
> > >
> > >
> >
> org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217)
> > >  at
> > >
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
> > > at
> > >
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> > >  at
> > >
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> > > at
> > >
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
> > >  at
> > >
> >
> org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
> > > at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
> > >  at
> > >
> > >
> >
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474)
> > > at
> > >
> > >
> >
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428)
> > >  at java.lang.Thread.run(Thread.java:722)
> > > 2013.04.24 14:23:56,449 DEBUG [pool-4-thread-2]
> > > org.apache.mina.core.filterchain.IoFilterEvent [] - Event
> > MESSAGE_RECEIVED
> > > has been fired for session 1
> > > 2013.04.24 14:23:56,449 DEBUG [NioProcessor-2]
> > > org.apache.directory.server.ldap.handlers.LdapResponseHandler [] -
> > Message
> > > sent : MessageType : MODIFY_RESPONSE,dc=com', modifications :
> > > Modification: replace
> > > , attribute : userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66
> 0x74
> > > 0x31 '
> > >
> > >
> > > 2013.04.24 14:23:56,446 DEBUG [pool-4-thread-2]
> > > org.apache.directory.server.ldap.handlers.LdapRequestHandler [] -
> > > CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST
> > > Message ID : 16
> > >     Modify Request
> > >         Object : 'uid=00000005,dc=company1,dc=com'
> > >             Modification[0]
> > >                 Operation :  replace
> > >                 Modification
> > > userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66 0x74 0x31 '
> > > org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcebfd3b
> :
> > > invalid reuse of password present in password history
> > > org.apache.directory.api.ldap.model.exception.LdapOperationException:
> > > invalid reuse of password present in password history
> > > at
> > >
> > >
> >
> org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:956)
> > >  at
> > >
> > >
> >
> app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168)
> > > at
> > >
> > >
> >
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577)
> > >  at
> > >
> > >
> >
> org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:980)
> > > at
> > >
> > >
> >
> app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168)
> > >  at
> > >
> > >
> >
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577)
> > > at
> > >
> > >
> >
> org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:223)
> > >  at
> > >
> > >
> >
> org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:782)
> > > at
> > >
> > >
> >
> org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:914)
> > >  at
> > >
> > >
> >
> org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:897)
> > > at
> > >
> > >
> >
> org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:56)
> > >  at
> > >
> > >
> >
> org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:39)
> > > at
> > >
> > >
> >
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207)
> > >  at
> > >
> > >
> >
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
> > > at
> > >
> > >
> >
> org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221)
> > >  at
> > >
> > >
> >
> org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217)
> > > at
> > >
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
> > >  at
> > >
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> > > at
> > >
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> > >  at
> > >
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
> > > at
> > >
> >
> org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
> > >  at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
> > > at
> > >
> > >
> >
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474)
> > >  at
> > >
> > >
> >
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428)
> > > at java.lang.Thread.run(Thread.java:722)
> > > 2013.04.24 14:23:56,449 DEBUG [pool-4-thread-2]
> > > org.apache.mina.core.filterchain.IoFilterEvent [] - Event
> > MESSAGE_RECEIVED
> > > has been fired for session 1
> > > 2013.04.24 14:23:56,449 DEBUG [NioProcessor-2]
> > > org.apache.directory.server.ldap.handlers.LdapResponseHandler [] -
> > Message
> > > sent : MessageType : MODIFY_RESPONSE
> > >
> > >
> > > I don't know if this helps, but here's some extra info:
> > >
> > > Entry
> > >     dn[n]: uid=00000005,dc=company1,dc=com
> > >     objectclass: top
> > >     objectclass: extensibleObject
> > >     objectclass: InetOrgPerson
> > >     objectclass: organizationalPerson
> > >     objectclass: person
> > >     objectclass: pwdPolicy
> > >     pwdHistory: '0x32 0x30 0x31 0x33 0x30 0x34 0x32 0x34 0x31 0x32 0x32
> > > 0x33 0x32 0x39 0x2E 0x38 ...'
> > >     pwdAllowUserChange: true
> > >     uid: 00000005
> > >     pwdPolicySubEntry:
> > >
> > >
> >
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > >     pwdReset: TRUE
> > >     userPassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 '
> > >     entryParentId: ccde56b4-aa2e-4738-af71-f15648d5e563
> > >     distinguishedName: uid=00000005,dc=company1,dc=com
> > >     pwdChangedTime: 20130410111201.584Z
> > >     pwdAttribute: userPassword
> > >     givenName: Michael
> > >     c: DE
> > >     cn: Michael Jackson
> > >     sn: Jackson
> > >     l: mjackson
> > >     mail: mjackson@company1.de
> > >     entryuuid: f679c2bb-e2f4-4987-8533-4d0b8407e876
> > >     o: Test Company
> > >     entryDN: uid=00000005,dc=company1,dc=com
> > >     modifyTimestamp: 20130424122329.889Z
> > >     entryCSN: 20130424122329.889000Z#000000#000#000000
> > >     displayName: Michael Jackson
> > >     modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > >
> > >
> > > dn:
> > >
> > >
> >
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > > objectClass: top
> > > objectClass: ads-base
> > > objectClass: ads-passwordPolicy
> > > ads-pwdId: default
> > > ads-pwdSafeModify: FALSE
> > > ads-pwdMaxAge: 0
> > > ads-pwdFailureCountInterval: 30
> > > ads-pwdAttribute: userPassword
> > > ads-pwdMaxFailure: 5
> > > ads-pwdLockout: TRUE
> > > ads-pwdMustChange: FALSE
> > > ads-pwdLockoutDuration: 0
> > > ads-pwdMinLength: 5
> > > ads-pwdInHistory: 5
> > > ads-pwdExpireWarning: 0
> > > ads-pwdMinAge: 0
> > > ads-pwdAllowUserChange: TRUE
> > > ads-pwdGraceAuthNLimit: 0
> > > ads-pwdCheckQuality: 2
> > > ads-pwdMaxLength: 0
> > > ads-pwdGraceExpire: 0
> > > ads-pwdMinDelay: 0
> > > ads-pwdMaxDelay: 0
> > > ads-pwdMaxIdle: 0
> > > ads-enabled: TRUE
> > >
> >
> >
> >
> > --
> > Kiran Ayyagari
> > http://keydap.com
> >
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message