directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Carlo.Acco...@ibs-ag.com>
Subject RE: Password expiry enforcement
Date Mon, 19 May 2014 21:41:28 GMT
Hi,
I had the same issue last year and Kiran suggested adding this line somewhere in your code.


System.setProperty("extra.controls", "org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyFactory");

I put it in the static initializer of the class that handles the pw policy responses. Worked
for me. 



-----Original Message-----
From: Sathya S [mailto:sathya.skr.75@gmail.com] 
Sent: Monday, May 19, 2014 5:17 PM
To: users@directory.apache.org
Subject: Re: Password expiry enforcement

Thanks,

I am trying out code from :
svn.apache.org/repos/asf/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java

I am facing an issue when trying to access the PasswordPolicy -
           PasswordPolicy PP_REQ_CTRL = new PasswordPolicyImpl();

            BindRequest bindReq = new BindRequestImpl();
            bindReq.setDn(new
Dn("uid=SathyaSkr,ou=people,dc=example,dc=com"));
            bindReq.setCredentials("helloworld");
            bindReq.addControl(PP_REQ_CTRL);

            LdapConnection userCon = new LdapNetworkConnection("localhost",
                    10389);
            BindResponse bindResp = userCon.bind(bindReq);

           Control control = bindResp
.getControls().get("1.3.6.1.4.1.42.2.27.8.5.1");
          PasswordPolicy policy = ((PasswordPolicyDecorator) control).getDecorated();

The last line throws me this exception:
java.lang.ClassCastException:
org.apache.directory.api.ldap.codec.BasicControlDecorator cannot be cast to org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator

This is the config on my server:

dn:
ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
 eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
ads-pwdminlength: 7
ads-pwdinhistory: 5
ads-pwdid: default
ads-pwdcheckquality: 1
ads-pwdlockout: TRUE
ads-pwdlockoutduration: 0
ads-pwdMaxAge: 120
ads-pwdvalidator: com.sathya.MyPasswordPolicy
ads-pwdmaxfailure: 5
ads-pwdattribute: userPassword
ads-pwdfailurecountinterval: 30
entryParentId: 9d1262c2-6583-4dca-9abb-7b470cfd6b25
ads-enabled: TRUE
objectclass: top
objectclass: ads-base
objectclass: ads-passwordPolicy
entryuuid: 7706635b-3da4-4c9b-aefd-bf059d38868d
ads-pwdgraceauthnlimit: 1
entryCSN: 20140519205014.514000Z#000000#001#000000
modifyTimestamp: 20140519205014.514Z
ads-pwdExpireWarning: 60

Any input?



On Mon, May 19, 2014 at 8:31 PM, Kiran Ayyagari <kayyagari@apache.org>wrote:

> On Mon, May 19, 2014 at 5:31 PM, Sathya Skr 75 
> <sathya.skr.75@gmail.com
> >wrote:
>
> > Brilliant!! Thanks so much Kiran. That worked.
> >
> > But still don't get a warning before expiry. Some of my friends said 
> > that this is something that needs to be built into the calling code 
> > and not something that apacheds provides out of the box. Is that right?
> >
>  you need to send password policy request control (OID is
> 1.3.6.1.4.1.42.2.27.8.5.1) to get the warning back, note that the 
> error/warning will be present in the password policy response control 
> present in the bind response
>
> >
> > —
> > Sent from Mailbox
> >
> > On Sun, May 18, 2014 at 6:33 PM, Kiran Ayyagari 
> > <kayyagari@apache.org>
> > wrote:
> >
> > > On Sat, May 17, 2014 at 7:18 PM, Sathya S 
> > > <sathya.skr.75@gmail.com>
> > wrote:
> > >> I am continuing on my experiments with getting password policies 
> > >> functioning on ApacheDS and I am trying to enable password expiry 
> > >> and
> a
> > >> warning before the expiry.
> > >>
> > >> This is what I have configured on the server:
> > >>
> > >> dn:
> > >>
> > >>
> >
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authentication
> Interc
> > >>  eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > >> ads-pwdminlength: 7
> > >> ads-pwdinhistory: 5
> > >> ads-pwdid: default
> > >> ads-pwdcheckquality: 1
> > >> ads-pwdlockout: TRUE
> > >> ads-pwdlockoutduration: 0
> > >>
> > >> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180* ...
> > >>
> > >> My understanding of this is that a user's password is valid for 5
> > minutes
> > >> after which authentication would fail. After 3 minutes up to 5
> minutes,
> > he
> > >> would be able to login, but would receive a warning about 
> > >> impending
> > expiry.
> > >> Is that correct?
> > >>
> > >> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as 
> > >> well,
> > > otherwise bind operation
> > > always accepts the expired password
> > >> I restarted the server after making the above change.
> > >>
> > >> I have the below Java code to authenticate the user:
> > >>
> > >>             Hashtable<String, String> env = new Hashtable<String,
> > >> String>();
> > >>             env.put(Context.INITIAL_CONTEXT_FACTORY,
> > >> "com.sun.jndi.ldap.LdapCtxFactory");
> > >>             env.put(Context.PROVIDER_URL, "ldap://localhost:10389");
> > >>             //
> > >>             env.put(Context.SECURITY_AUTHENTICATION, "simple");
> > >>             env.put(Context.SECURITY_PRINCIPAL,
> > >> "uid=Sathya,ou=people,dc=example,dc=com");
> > >>             env.put(Context.SECURITY_CREDENTIALS, "helloworld");
> > >>
> > >>             // Create the initial context
> > >>
> > >>             DirContext ctx = new InitialDirContext(env);
> > >>
> > >> I created this user account almost an hour ago but the 
> > >> authentication
> > still
> > >> goes through successfully. Anything I am missing here?
> > >>
> > >> Thanks.
> > >>
> > > --
> > > Kiran Ayyagari
> > > http://keydap.com
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
Mime
View raw message