Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2DC3BFDAC for ; Sat, 27 Apr 2013 04:55:45 +0000 (UTC) Received: (qmail 4131 invoked by uid 500); 27 Apr 2013 04:55:44 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 3746 invoked by uid 500); 27 Apr 2013 04:55:38 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 3693 invoked by uid 99); 27 Apr 2013 04:55:36 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 27 Apr 2013 04:55:36 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ayyagarikiran@gmail.com designates 209.85.223.171 as permitted sender) Received: from [209.85.223.171] (HELO mail-ie0-f171.google.com) (209.85.223.171) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 27 Apr 2013 04:55:32 +0000 Received: by mail-ie0-f171.google.com with SMTP id e11so5725586iej.16 for ; Fri, 26 Apr 2013 21:55:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=sHCxbtzFfJ/a9aQkUlmb0TnD8ZVCExclqfphA4mJ/qA=; b=pniUCiYZ6b9t/rejZACmN/zNTQZIXl6llEEzlY/wWcTP/wcsaMz0LESCDJ+/s8k2XZ d2cQftDHEe6oCHrSD18AkG01JHuXDhQQVsWD/MGC1mQHuHSd7xVyQOnli1VHNloNcqgD lvOqm4dIhdR1+Cu4iGdp+hrk+YpqiLypUDuW37xoGw4qRRyf3dAsjQCKRCp1THJZvmpb V26aX8stredd3YA7E76AnTNWNqpWuWSr3FoEnXqu0IxSyt9k+/dBUlp040JgJeUmeKwc e+qSYUjBjUd1J8og7lceiEVYZPYOQ7yhbmfJ+TYN3WD9kBXouUGA/SekdXelr+ywghb4 Yi/Q== MIME-Version: 1.0 X-Received: by 10.42.26.12 with SMTP id d12mr102331icc.1.1367038511701; Fri, 26 Apr 2013 21:55:11 -0700 (PDT) Sender: ayyagarikiran@gmail.com Received: by 10.231.121.5 with HTTP; Fri, 26 Apr 2013 21:55:11 -0700 (PDT) In-Reply-To: References: Date: Sat, 27 Apr 2013 10:25:11 +0530 X-Google-Sender-Auth: pqBT7s1nMJDfW8WXMOcqta2NfE4 Message-ID: Subject: Re: pwdHistory not validating properly (in custom server) From: Kiran Ayyagari To: users@directory.apache.org Content-Type: multipart/alternative; boundary=20cf3042702ee364f704db50743f X-Virus-Checked: Checked by ClamAV on apache.org --20cf3042702ee364f704db50743f Content-Type: text/plain; charset=ISO-8859-1 I have tested with M11 and couldn't reproduce the reported password history error (entered different passwords) On Fri, Apr 26, 2013 at 7:54 PM, Patricio Demitrio wrote: > Im pretty sure, yes. > When debugging, my interceptors listed are: > > [org.apache.directory.server.core.normalization.NormalizationInterceptor@4f8771a > , > app.ldap.server.AuthenticationInterceptor2@54534e82, > org.apache.directory.server.core.referral.ReferralInterceptor@2947640e, > org.apache.directory.server.core.authz.AciAuthorizationInterceptor@df9e84e > , > > org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor@1202600d > , > > org.apache.directory.server.core.admin.AdministrativePointInterceptor@59effeb7 > , > org.apache.directory.server.core.exception.ExceptionInterceptor@1b3bce82, > org.apache.directory.server.core.schema.SchemaInterceptor@7372c6c5, > > org.apache.directory.server.core.operational.OperationalAttributeInterceptor@7457eab9 > , > > org.apache.directory.server.core.collective.CollectiveAttributeInterceptor@37f3535b > , > org.apache.directory.server.core.subtree.SubentryInterceptor@47e5980f, > org.apache.directory.server.core.event.EventInterceptor@326225a9, > org.apache.directory.server.core.trigger.TriggerInterceptor@49969416, > org.apache.directory.server.core.changelog.ChangeLogInterceptor@3cd45618, > org.apache.directory.server.core.journal.JournalInterceptor@186060db] > > > ABout the canges you mentioned, is there something newer than M11? Or > should I build something locally? > > Thanks > > > On Fri, Apr 26, 2013 at 4:17 PM, Kiran Ayyagari >wrote: > > > did you disable the default AuthenticationInterceptor? > > > > > > On Fri, Apr 26, 2013 at 7:20 PM, Patricio Demitrio > > wrote: > > > > > Hi, I'm currently working with a custom M11 server, the only thing > > > different is a custom implementation of AuthenticatorInterceptor. > > > > > > When, from apacheDS, I try to change the user password, two different > > > things happen: > > > - If there is no pwdHistory present, the update works, and the > pwdHistory > > > attribute is created. > > > - If pwdHistory exists, it throws me an error, even though the password > > is > > > completely different. > > > > > > The error is: > > > > > > 2013.04.24 14:23:56,445 DEBUG [pool-4-thread-2] > > > org.apache.directory.server.core.authn.AuthenticationInterceptor [] - > > > Operation Context: ModifyContext for Dn 'uid=00000005,dc=2013.04.24 > > > 14:23:56,445 > > > DEBUG [pool-4-thread-2] > > > org.apache.directory.server.core.authn.AuthenticationInterceptor [] - > > > Operation Context: ModifyContext for Dn > > 'uid=00000005,dc=company1,dc=com', > > > modifications : > > > Modification: replace > > > , attribute : userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66 > 0x74 > > > 0x31 ' > > > > > > > > > 2013.04.24 14:23:56,446 DEBUG [pool-4-thread-2] > > > org.apache.directory.server.ldap.handlers.LdapRequestHandler [] - > > > CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST > > > Message ID : 16 > > > Modify Request > > > Object : 'uid=00000005,dc=company1,dc=com' > > > Modification[0] > > > Operation : replace > > > Modification > > > userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66 0x74 0x31 ' > > > org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcebfd3b > : > > > invalid reuse of password present in password history > > > org.apache.directory.api.ldap.model.exception.LdapOperationException: > > > invalid reuse of password present in password history > > > at > > > > > > > > > org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:956) > > > at > > > > > > > > > app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168) > > > --->>>> extends from AuthenticationInterceptor. No added behaviour in > > this > > > example > > > at > > > > > > > > > org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577) > > > at > > > > > > > > > org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:980) > > > at > > > > > > > > > app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168) > > > at > > > > > > > > > org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577) > > > at > > > > > > > > > org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:223) > > > at > > > > > > > > > org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:782) > > > at > > > > > > > > > org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:914) > > > at > > > > > > > > > org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:897) > > > at > > > > > > > > > org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:56) > > > at > > > > > > > > > org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:39) > > > at > > > > > > > > > org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207) > > > at > > > > > > > > > org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) > > > at > > > > > > > > > org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221) > > > at > > > > > > > > > org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217) > > > at > > > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690) > > > at > > > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417) > > > at > > > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47) > > > at > > > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765) > > > at > > > > > > org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74) > > > at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) > > > at > > > > > > > > > org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474) > > > at > > > > > > > > > org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428) > > > at java.lang.Thread.run(Thread.java:722) > > > 2013.04.24 14:23:56,449 DEBUG [pool-4-thread-2] > > > org.apache.mina.core.filterchain.IoFilterEvent [] - Event > > MESSAGE_RECEIVED > > > has been fired for session 1 > > > 2013.04.24 14:23:56,449 DEBUG [NioProcessor-2] > > > org.apache.directory.server.ldap.handlers.LdapResponseHandler [] - > > Message > > > sent : MessageType : MODIFY_RESPONSE,dc=com', modifications : > > > Modification: replace > > > , attribute : userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66 > 0x74 > > > 0x31 ' > > > > > > > > > 2013.04.24 14:23:56,446 DEBUG [pool-4-thread-2] > > > org.apache.directory.server.ldap.handlers.LdapRequestHandler [] - > > > CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST > > > Message ID : 16 > > > Modify Request > > > Object : 'uid=00000005,dc=company1,dc=com' > > > Modification[0] > > > Operation : replace > > > Modification > > > userPassword: '0x73 0x63 0x6F 0x6F 0x70 0x73 0x6F 0x66 0x74 0x31 ' > > > org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcebfd3b > : > > > invalid reuse of password present in password history > > > org.apache.directory.api.ldap.model.exception.LdapOperationException: > > > invalid reuse of password present in password history > > > at > > > > > > > > > org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:956) > > > at > > > > > > > > > app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168) > > > at > > > > > > > > > org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577) > > > at > > > > > > > > > org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:980) > > > at > > > > > > > > > app.ldap.server.AuthenticationInterceptor2.modify(AuthenticationInterceptor2.java:168) > > > at > > > > > > > > > org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:577) > > > at > > > > > > > > > org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:223) > > > at > > > > > > > > > org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:782) > > > at > > > > > > > > > org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:914) > > > at > > > > > > > > > org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:897) > > > at > > > > > > > > > org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:56) > > > at > > > > > > > > > org.apache.directory.server.ldap.handlers.request.ModifyRequestHandler.handle(ModifyRequestHandler.java:39) > > > at > > > > > > > > > org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207) > > > at > > > > > > > > > org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) > > > at > > > > > > > > > org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221) > > > at > > > > > > > > > org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217) > > > at > > > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690) > > > at > > > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417) > > > at > > > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47) > > > at > > > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765) > > > at > > > > > > org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74) > > > at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) > > > at > > > > > > > > > org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474) > > > at > > > > > > > > > org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428) > > > at java.lang.Thread.run(Thread.java:722) > > > 2013.04.24 14:23:56,449 DEBUG [pool-4-thread-2] > > > org.apache.mina.core.filterchain.IoFilterEvent [] - Event > > MESSAGE_RECEIVED > > > has been fired for session 1 > > > 2013.04.24 14:23:56,449 DEBUG [NioProcessor-2] > > > org.apache.directory.server.ldap.handlers.LdapResponseHandler [] - > > Message > > > sent : MessageType : MODIFY_RESPONSE > > > > > > > > > I don't know if this helps, but here's some extra info: > > > > > > Entry > > > dn[n]: uid=00000005,dc=company1,dc=com > > > objectclass: top > > > objectclass: extensibleObject > > > objectclass: InetOrgPerson > > > objectclass: organizationalPerson > > > objectclass: person > > > objectclass: pwdPolicy > > > pwdHistory: '0x32 0x30 0x31 0x33 0x30 0x34 0x32 0x34 0x31 0x32 0x32 > > > 0x33 0x32 0x39 0x2E 0x38 ...' > > > pwdAllowUserChange: true > > > uid: 00000005 > > > pwdPolicySubEntry: > > > > > > > > > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config > > > pwdReset: TRUE > > > userPassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 ' > > > entryParentId: ccde56b4-aa2e-4738-af71-f15648d5e563 > > > distinguishedName: uid=00000005,dc=company1,dc=com > > > pwdChangedTime: 20130410111201.584Z > > > pwdAttribute: userPassword > > > givenName: Michael > > > c: DE > > > cn: Michael Jackson > > > sn: Jackson > > > l: mjackson > > > mail: mjackson@company1.de > > > entryuuid: f679c2bb-e2f4-4987-8533-4d0b8407e876 > > > o: Test Company > > > entryDN: uid=00000005,dc=company1,dc=com > > > modifyTimestamp: 20130424122329.889Z > > > entryCSN: 20130424122329.889000Z#000000#000#000000 > > > displayName: Michael Jackson > > > modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system > > > > > > > > > dn: > > > > > > > > > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config > > > objectClass: top > > > objectClass: ads-base > > > objectClass: ads-passwordPolicy > > > ads-pwdId: default > > > ads-pwdSafeModify: FALSE > > > ads-pwdMaxAge: 0 > > > ads-pwdFailureCountInterval: 30 > > > ads-pwdAttribute: userPassword > > > ads-pwdMaxFailure: 5 > > > ads-pwdLockout: TRUE > > > ads-pwdMustChange: FALSE > > > ads-pwdLockoutDuration: 0 > > > ads-pwdMinLength: 5 > > > ads-pwdInHistory: 5 > > > ads-pwdExpireWarning: 0 > > > ads-pwdMinAge: 0 > > > ads-pwdAllowUserChange: TRUE > > > ads-pwdGraceAuthNLimit: 0 > > > ads-pwdCheckQuality: 2 > > > ads-pwdMaxLength: 0 > > > ads-pwdGraceExpire: 0 > > > ads-pwdMinDelay: 0 > > > ads-pwdMaxDelay: 0 > > > ads-pwdMaxIdle: 0 > > > ads-enabled: TRUE > > > > > > > > > > > -- > > Kiran Ayyagari > > http://keydap.com > > > -- Kiran Ayyagari http://keydap.com --20cf3042702ee364f704db50743f--