directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: pwdHistory not validating properly (in custom server)
Date Fri, 26 Apr 2013 14:17:17 GMT
did you disable the default AuthenticationInterceptor?


On Fri, Apr 26, 2013 at 7:20 PM, Patricio Demitrio
<pdemitrio@scoop-gmbh.de>wrote:

> Hi, I'm currently working with a custom M11 server, the only thing
> different is a custom implementation of AuthenticatorInterceptor.
>
> When, from apacheDS, I try to change the user password, two different
> things happen:
> - If there is no pwdHistory present, the update works, and the pwdHistory
> attribute is created.
> - If pwdHistory exists, it throws me an error, even though the password is
> completely different.
>
> The error is:
>
> 2013.04.24 14:23:56,445 DEBUG [pool-4-thread-2]
> org.apache.directory.server.core.authn.AuthenticationInterceptor [] -
> Operation Context: ModifyContext for Dn 'uid=00000005,dc=2013.04.24
> 14:23:56,445
> DEBUG [pool-4-thread-2]
> org.apache.directory.server.core.authn.AuthenticationInterceptor [] -
> Operation Context: ModifyContext for Dn 'uid=00000005,dc=company1,dc=com',
> modifications :
> Modification: replace
> , attribute : userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66 0x74
> 0x31 '
>
>
> 2013.04.24 14:23:56,446 DEBUG [pool-4-thread-2]
> org.apache.directory.server.ldap.handlers.LdapRequestHandler [] -
> CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST
> Message ID : 16
>     Modify Request
>         Object : 'uid=00000005,dc=company1,dc=com'
>             Modification[0]
>                 Operation :  replace
>                 Modification
> userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66 0x74 0x31 '
> org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcebfd3b:
> invalid reuse of password present in password history
> org.apache.directory.api.ldap.model.exception.LdapOperationException:
> invalid reuse of password present in password history
> at
>
> org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:956)
>  at
>
> app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168)
> --->>>> extends from AuthenticationInterceptor. No added behaviour in this
> example
>  at
>
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577)
> at
>
> org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:980)
>  at
>
> app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168)
> at
>
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577)
>  at
>
> org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:223)
> at
>
> org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:782)
>  at
>
> org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:914)
> at
>
> org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:897)
>  at
>
> org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:56)
> at
>
> org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:39)
>  at
>
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207)
> at
>
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
>  at
>
> org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221)
> at
>
> org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217)
>  at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
>  at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
>  at
> org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
> at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
>  at
>
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474)
> at
>
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428)
>  at java.lang.Thread.run(Thread.java:722)
> 2013.04.24 14:23:56,449 DEBUG [pool-4-thread-2]
> org.apache.mina.core.filterchain.IoFilterEvent [] - Event MESSAGE_RECEIVED
> has been fired for session 1
> 2013.04.24 14:23:56,449 DEBUG [NioProcessor-2]
> org.apache.directory.server.ldap.handlers.LdapResponseHandler [] - Message
> sent : MessageType : MODIFY_RESPONSE,dc=com', modifications :
> Modification: replace
> , attribute : userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66 0x74
> 0x31 '
>
>
> 2013.04.24 14:23:56,446 DEBUG [pool-4-thread-2]
> org.apache.directory.server.ldap.handlers.LdapRequestHandler [] -
> CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST
> Message ID : 16
>     Modify Request
>         Object : 'uid=00000005,dc=company1,dc=com'
>             Modification[0]
>                 Operation :  replace
>                 Modification
> userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66 0x74 0x31 '
> org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcebfd3b:
> invalid reuse of password present in password history
> org.apache.directory.api.ldap.model.exception.LdapOperationException:
> invalid reuse of password present in password history
> at
>
> org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:956)
>  at
>
> app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168)
> at
>
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577)
>  at
>
> org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:980)
> at
>
> app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168)
>  at
>
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577)
> at
>
> org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:223)
>  at
>
> org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:782)
> at
>
> org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:914)
>  at
>
> org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:897)
> at
>
> org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:56)
>  at
>
> org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:39)
> at
>
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207)
>  at
>
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
> at
>
> org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221)
>  at
>
> org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
>  at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
>  at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
> at
> org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
>  at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
> at
>
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474)
>  at
>
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428)
> at java.lang.Thread.run(Thread.java:722)
> 2013.04.24 14:23:56,449 DEBUG [pool-4-thread-2]
> org.apache.mina.core.filterchain.IoFilterEvent [] - Event MESSAGE_RECEIVED
> has been fired for session 1
> 2013.04.24 14:23:56,449 DEBUG [NioProcessor-2]
> org.apache.directory.server.ldap.handlers.LdapResponseHandler [] - Message
> sent : MessageType : MODIFY_RESPONSE
>
>
> I don't know if this helps, but here's some extra info:
>
> Entry
>     dn[n]: uid=00000005,dc=company1,dc=com
>     objectclass: top
>     objectclass: extensibleObject
>     objectclass: InetOrgPerson
>     objectclass: organizationalPerson
>     objectclass: person
>     objectclass: pwdPolicy
>     pwdHistory: '0x32 0x30 0x31 0x33 0x30 0x34 0x32 0x34 0x31 0x32 0x32
> 0x33 0x32 0x39 0x2E 0x38 ...'
>     pwdAllowUserChange: true
>     uid: 00000005
>     pwdPolicySubEntry:
>
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>     pwdReset: TRUE
>     userPassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 '
>     entryParentId: ccde56b4-aa2e-4738-af71-f15648d5e563
>     distinguishedName: uid=00000005,dc=company1,dc=com
>     pwdChangedTime: 20130410111201.584Z
>     pwdAttribute: userPassword
>     givenName: Michael
>     c: DE
>     cn: Michael Jackson
>     sn: Jackson
>     l: mjackson
>     mail: mjackson@company1.de
>     entryuuid: f679c2bb-e2f4-4987-8533-4d0b8407e876
>     o: Test Company
>     entryDN: uid=00000005,dc=company1,dc=com
>     modifyTimestamp: 20130424122329.889Z
>     entryCSN: 20130424122329.889000Z#000000#000#000000
>     displayName: Michael Jackson
>     modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>
>
> dn:
>
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> objectClass: top
> objectClass: ads-base
> objectClass: ads-passwordPolicy
> ads-pwdId: default
> ads-pwdSafeModify: FALSE
> ads-pwdMaxAge: 0
> ads-pwdFailureCountInterval: 30
> ads-pwdAttribute: userPassword
> ads-pwdMaxFailure: 5
> ads-pwdLockout: TRUE
> ads-pwdMustChange: FALSE
> ads-pwdLockoutDuration: 0
> ads-pwdMinLength: 5
> ads-pwdInHistory: 5
> ads-pwdExpireWarning: 0
> ads-pwdMinAge: 0
> ads-pwdAllowUserChange: TRUE
> ads-pwdGraceAuthNLimit: 0
> ads-pwdCheckQuality: 2
> ads-pwdMaxLength: 0
> ads-pwdGraceExpire: 0
> ads-pwdMinDelay: 0
> ads-pwdMaxDelay: 0
> ads-pwdMaxIdle: 0
> ads-enabled: TRUE
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message