directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Password expiry enforcement
Date Tue, 20 May 2014 01:26:21 GMT
On Tue, May 20, 2014 at 3:11 AM, <Carlo.Accorsi@ibs-ag.com> wrote:

> Hi,
> I had the same issue last year and Kiran suggested adding this line
> somewhere in your code.
>
> System.setProperty("extra.controls",
> "org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyFactory");
>
> yes, and this is not needed if you are using client API version >=
1.0.0-M21

> I put it in the static initializer of the class that handles the pw policy
> responses. Worked for me.
>
>
>
> -----Original Message-----
> From: Sathya S [mailto:sathya.skr.75@gmail.com]
> Sent: Monday, May 19, 2014 5:17 PM
> To: users@directory.apache.org
> Subject: Re: Password expiry enforcement
>
> Thanks,
>
> I am trying out code from :
>
> svn.apache.org/repos/asf/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java
>
> I am facing an issue when trying to access the PasswordPolicy -
>            PasswordPolicy PP_REQ_CTRL = new PasswordPolicyImpl();
>
>             BindRequest bindReq = new BindRequestImpl();
>             bindReq.setDn(new
> Dn("uid=SathyaSkr,ou=people,dc=example,dc=com"));
>             bindReq.setCredentials("helloworld");
>             bindReq.addControl(PP_REQ_CTRL);
>
>             LdapConnection userCon = new LdapNetworkConnection("localhost",
>                     10389);
>             BindResponse bindResp = userCon.bind(bindReq);
>
>            Control control = bindResp
> .getControls().get("1.3.6.1.4.1.42.2.27.8.5.1");
>           PasswordPolicy policy = ((PasswordPolicyDecorator)
> control).getDecorated();
>
> The last line throws me this exception:
> java.lang.ClassCastException:
> org.apache.directory.api.ldap.codec.BasicControlDecorator cannot be cast
> to
> org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator
>
> This is the config on my server:
>
> dn:
>
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
>  eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> ads-pwdminlength: 7
> ads-pwdinhistory: 5
> ads-pwdid: default
> ads-pwdcheckquality: 1
> ads-pwdlockout: TRUE
> ads-pwdlockoutduration: 0
> ads-pwdMaxAge: 120
> ads-pwdvalidator: com.sathya.MyPasswordPolicy
> ads-pwdmaxfailure: 5
> ads-pwdattribute: userPassword
> ads-pwdfailurecountinterval: 30
> entryParentId: 9d1262c2-6583-4dca-9abb-7b470cfd6b25
> ads-enabled: TRUE
> objectclass: top
> objectclass: ads-base
> objectclass: ads-passwordPolicy
> entryuuid: 7706635b-3da4-4c9b-aefd-bf059d38868d
> ads-pwdgraceauthnlimit: 1
> entryCSN: 20140519205014.514000Z#000000#001#000000
> modifyTimestamp: 20140519205014.514Z
> ads-pwdExpireWarning: 60
>
> Any input?
>
>
>
> On Mon, May 19, 2014 at 8:31 PM, Kiran Ayyagari <kayyagari@apache.org
> >wrote:
>
> > On Mon, May 19, 2014 at 5:31 PM, Sathya Skr 75
> > <sathya.skr.75@gmail.com
> > >wrote:
> >
> > > Brilliant!! Thanks so much Kiran. That worked.
> > >
> > > But still don't get a warning before expiry. Some of my friends said
> > > that this is something that needs to be built into the calling code
> > > and not something that apacheds provides out of the box. Is that right?
> > >
> >  you need to send password policy request control (OID is
> > 1.3.6.1.4.1.42.2.27.8.5.1) to get the warning back, note that the
> > error/warning will be present in the password policy response control
> > present in the bind response
> >
> > >
> > > —
> > > Sent from Mailbox
> > >
> > > On Sun, May 18, 2014 at 6:33 PM, Kiran Ayyagari
> > > <kayyagari@apache.org>
> > > wrote:
> > >
> > > > On Sat, May 17, 2014 at 7:18 PM, Sathya S
> > > > <sathya.skr.75@gmail.com>
> > > wrote:
> > > >> I am continuing on my experiments with getting password policies
> > > >> functioning on ApacheDS and I am trying to enable password expiry
> > > >> and
> > a
> > > >> warning before the expiry.
> > > >>
> > > >> This is what I have configured on the server:
> > > >>
> > > >> dn:
> > > >>
> > > >>
> > >
> > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authentication
> > Interc
> > > >>  eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > > >> ads-pwdminlength: 7
> > > >> ads-pwdinhistory: 5
> > > >> ads-pwdid: default
> > > >> ads-pwdcheckquality: 1
> > > >> ads-pwdlockout: TRUE
> > > >> ads-pwdlockoutduration: 0
> > > >>
> > > >> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180* ...
> > > >>
> > > >> My understanding of this is that a user's password is valid for 5
> > > minutes
> > > >> after which authentication would fail. After 3 minutes up to 5
> > minutes,
> > > he
> > > >> would be able to login, but would receive a warning about
> > > >> impending
> > > expiry.
> > > >> Is that correct?
> > > >>
> > > >> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as
> > > >> well,
> > > > otherwise bind operation
> > > > always accepts the expired password
> > > >> I restarted the server after making the above change.
> > > >>
> > > >> I have the below Java code to authenticate the user:
> > > >>
> > > >>             Hashtable<String, String> env = new Hashtable<String,
> > > >> String>();
> > > >>             env.put(Context.INITIAL_CONTEXT_FACTORY,
> > > >> "com.sun.jndi.ldap.LdapCtxFactory");
> > > >>             env.put(Context.PROVIDER_URL, "ldap://localhost:10389");
> > > >>             //
> > > >>             env.put(Context.SECURITY_AUTHENTICATION, "simple");
> > > >>             env.put(Context.SECURITY_PRINCIPAL,
> > > >> "uid=Sathya,ou=people,dc=example,dc=com");
> > > >>             env.put(Context.SECURITY_CREDENTIALS, "helloworld");
> > > >>
> > > >>             // Create the initial context
> > > >>
> > > >>             DirContext ctx = new InitialDirContext(env);
> > > >>
> > > >> I created this user account almost an hour ago but the
> > > >> authentication
> > > still
> > > >> goes through successfully. Anything I am missing here?
> > > >>
> > > >> Thanks.
> > > >>
> > > > --
> > > > Kiran Ayyagari
> > > > http://keydap.com
> > >
> >
> >
> >
> > --
> > Kiran Ayyagari
> > http://keydap.com
> >
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message