directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patricio Demitrio <pdemit...@scoop-gmbh.de>
Subject pwdHistory not validating properly (in custom server)
Date Fri, 26 Apr 2013 13:50:17 GMT
Hi, I'm currently working with a custom M11 server, the only thing
different is a custom implementation of AuthenticatorInterceptor.

When, from apacheDS, I try to change the user password, two different
things happen:
- If there is no pwdHistory present, the update works, and the pwdHistory
attribute is created.
- If pwdHistory exists, it throws me an error, even though the password is
completely different.

The error is:

2013.04.24 14:23:56,445 DEBUG [pool-4-thread-2]
org.apache.directory.server.core.authn.AuthenticationInterceptor [] -
Operation Context: ModifyContext for Dn 'uid=00000005,dc=2013.04.24
14:23:56,445
DEBUG [pool-4-thread-2]
org.apache.directory.server.core.authn.AuthenticationInterceptor [] -
Operation Context: ModifyContext for Dn 'uid=00000005,dc=company1,dc=com',
modifications :
Modification: replace
, attribute : userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66 0x74
0x31 '


2013.04.24 14:23:56,446 DEBUG [pool-4-thread-2]
org.apache.directory.server.ldap.handlers.LdapRequestHandler [] -
CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST
Message ID : 16
    Modify Request
        Object : 'uid=00000005,dc=company1,dc=com'
            Modification[0]
                Operation :  replace
                Modification
userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66 0x74 0x31 '
org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcebfd3b:
invalid reuse of password present in password history
org.apache.directory.api.ldap.model.exception.LdapOperationException:
invalid reuse of password present in password history
at
org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:956)
 at
app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168)
--->>>> extends from AuthenticationInterceptor. No added behaviour in this
example
 at
org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577)
at
org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:980)
 at
app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168)
at
org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577)
 at
org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:223)
at
org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:782)
 at
org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:914)
at
org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:897)
 at
org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:56)
at
org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:39)
 at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207)
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
 at
org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221)
at
org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217)
 at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
 at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
 at
org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
 at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474)
at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428)
 at java.lang.Thread.run(Thread.java:722)
2013.04.24 14:23:56,449 DEBUG [pool-4-thread-2]
org.apache.mina.core.filterchain.IoFilterEvent [] - Event MESSAGE_RECEIVED
has been fired for session 1
2013.04.24 14:23:56,449 DEBUG [NioProcessor-2]
org.apache.directory.server.ldap.handlers.LdapResponseHandler [] - Message
sent : MessageType : MODIFY_RESPONSE,dc=com', modifications :
Modification: replace
, attribute : userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66 0x74
0x31 '


2013.04.24 14:23:56,446 DEBUG [pool-4-thread-2]
org.apache.directory.server.ldap.handlers.LdapRequestHandler [] -
CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST
Message ID : 16
    Modify Request
        Object : 'uid=00000005,dc=company1,dc=com'
            Modification[0]
                Operation :  replace
                Modification
userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66 0x74 0x31 '
org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcebfd3b:
invalid reuse of password present in password history
org.apache.directory.api.ldap.model.exception.LdapOperationException:
invalid reuse of password present in password history
at
org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:956)
 at
app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168)
at
org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577)
 at
org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:980)
at
app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168)
 at
org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577)
at
org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:223)
 at
org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:782)
at
org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:914)
 at
org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:897)
at
org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:56)
 at
org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:39)
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207)
 at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
at
org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221)
 at
org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
 at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
 at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
at
org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
 at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474)
 at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428)
at java.lang.Thread.run(Thread.java:722)
2013.04.24 14:23:56,449 DEBUG [pool-4-thread-2]
org.apache.mina.core.filterchain.IoFilterEvent [] - Event MESSAGE_RECEIVED
has been fired for session 1
2013.04.24 14:23:56,449 DEBUG [NioProcessor-2]
org.apache.directory.server.ldap.handlers.LdapResponseHandler [] - Message
sent : MessageType : MODIFY_RESPONSE


I don't know if this helps, but here's some extra info:

Entry
    dn[n]: uid=00000005,dc=company1,dc=com
    objectclass: top
    objectclass: extensibleObject
    objectclass: InetOrgPerson
    objectclass: organizationalPerson
    objectclass: person
    objectclass: pwdPolicy
    pwdHistory: '0x32 0x30 0x31 0x33 0x30 0x34 0x32 0x34 0x31 0x32 0x32
0x33 0x32 0x39 0x2E 0x38 ...'
    pwdAllowUserChange: true
    uid: 00000005
    pwdPolicySubEntry:
ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
    pwdReset: TRUE
    userPassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 '
    entryParentId: ccde56b4-aa2e-4738-af71-f15648d5e563
    distinguishedName: uid=00000005,dc=company1,dc=com
    pwdChangedTime: 20130410111201.584Z
    pwdAttribute: userPassword
    givenName: Michael
    c: DE
    cn: Michael Jackson
    sn: Jackson
    l: mjackson
    mail: mjackson@company1.de
    entryuuid: f679c2bb-e2f4-4987-8533-4d0b8407e876
    o: Test Company
    entryDN: uid=00000005,dc=company1,dc=com
    modifyTimestamp: 20130424122329.889Z
    entryCSN: 20130424122329.889000Z#000000#000#000000
    displayName: Michael Jackson
    modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system


dn:
ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
objectClass: top
objectClass: ads-base
objectClass: ads-passwordPolicy
ads-pwdId: default
ads-pwdSafeModify: FALSE
ads-pwdMaxAge: 0
ads-pwdFailureCountInterval: 30
ads-pwdAttribute: userPassword
ads-pwdMaxFailure: 5
ads-pwdLockout: TRUE
ads-pwdMustChange: FALSE
ads-pwdLockoutDuration: 0
ads-pwdMinLength: 5
ads-pwdInHistory: 5
ads-pwdExpireWarning: 0
ads-pwdMinAge: 0
ads-pwdAllowUserChange: TRUE
ads-pwdGraceAuthNLimit: 0
ads-pwdCheckQuality: 2
ads-pwdMaxLength: 0
ads-pwdGraceExpire: 0
ads-pwdMinDelay: 0
ads-pwdMaxDelay: 0
ads-pwdMaxIdle: 0
ads-enabled: TRUE

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message