directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sathya S <sathya.skr...@gmail.com>
Subject Re: Password expiry enforcement
Date Mon, 19 May 2014 21:16:38 GMT
Thanks,

I am trying out code from :
svn.apache.org/repos/asf/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java

I am facing an issue when trying to access the PasswordPolicy -
           PasswordPolicy PP_REQ_CTRL = new PasswordPolicyImpl();

            BindRequest bindReq = new BindRequestImpl();
            bindReq.setDn(new
Dn("uid=SathyaSkr,ou=people,dc=example,dc=com"));
            bindReq.setCredentials("helloworld");
            bindReq.addControl(PP_REQ_CTRL);

            LdapConnection userCon = new LdapNetworkConnection("localhost",
                    10389);
            BindResponse bindResp = userCon.bind(bindReq);

           Control control = bindResp
.getControls().get("1.3.6.1.4.1.42.2.27.8.5.1");
          PasswordPolicy policy = ((PasswordPolicyDecorator)
control).getDecorated();

The last line throws me this exception:
java.lang.ClassCastException:
org.apache.directory.api.ldap.codec.BasicControlDecorator cannot be cast to
org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator

This is the config on my server:

dn:
ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
 eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
ads-pwdminlength: 7
ads-pwdinhistory: 5
ads-pwdid: default
ads-pwdcheckquality: 1
ads-pwdlockout: TRUE
ads-pwdlockoutduration: 0
ads-pwdMaxAge: 120
ads-pwdvalidator: com.sathya.MyPasswordPolicy
ads-pwdmaxfailure: 5
ads-pwdattribute: userPassword
ads-pwdfailurecountinterval: 30
entryParentId: 9d1262c2-6583-4dca-9abb-7b470cfd6b25
ads-enabled: TRUE
objectclass: top
objectclass: ads-base
objectclass: ads-passwordPolicy
entryuuid: 7706635b-3da4-4c9b-aefd-bf059d38868d
ads-pwdgraceauthnlimit: 1
entryCSN: 20140519205014.514000Z#000000#001#000000
modifyTimestamp: 20140519205014.514Z
ads-pwdExpireWarning: 60

Any input?



On Mon, May 19, 2014 at 8:31 PM, Kiran Ayyagari <kayyagari@apache.org>wrote:

> On Mon, May 19, 2014 at 5:31 PM, Sathya Skr 75 <sathya.skr.75@gmail.com
> >wrote:
>
> > Brilliant!! Thanks so much Kiran. That worked.
> >
> > But still don't get a warning before expiry. Some of my friends said that
> > this is something that needs to be built into the calling code and not
> > something that apacheds provides out of the box. Is that right?
> >
>  you need to send password policy request control (OID is
> 1.3.6.1.4.1.42.2.27.8.5.1) to get the warning
> back, note that the error/warning will be present in the password policy
> response control present in the
> bind response
>
> >
> > —
> > Sent from Mailbox
> >
> > On Sun, May 18, 2014 at 6:33 PM, Kiran Ayyagari <kayyagari@apache.org>
> > wrote:
> >
> > > On Sat, May 17, 2014 at 7:18 PM, Sathya S <sathya.skr.75@gmail.com>
> > wrote:
> > >> I am continuing on my experiments with getting password policies
> > >> functioning on ApacheDS and I am trying to enable password expiry and
> a
> > >> warning before the expiry.
> > >>
> > >> This is what I have configured on the server:
> > >>
> > >> dn:
> > >>
> > >>
> >
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
> > >>  eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > >> ads-pwdminlength: 7
> > >> ads-pwdinhistory: 5
> > >> ads-pwdid: default
> > >> ads-pwdcheckquality: 1
> > >> ads-pwdlockout: TRUE
> > >> ads-pwdlockoutduration: 0
> > >>
> > >> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180*
> > >> ...
> > >>
> > >> My understanding of this is that a user's password is valid for 5
> > minutes
> > >> after which authentication would fail. After 3 minutes up to 5
> minutes,
> > he
> > >> would be able to login, but would receive a warning about impending
> > expiry.
> > >> Is that correct?
> > >>
> > >> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as well,
> > > otherwise bind operation
> > > always accepts the expired password
> > >> I restarted the server after making the above change.
> > >>
> > >> I have the below Java code to authenticate the user:
> > >>
> > >>             Hashtable<String, String> env = new Hashtable<String,
> > >> String>();
> > >>             env.put(Context.INITIAL_CONTEXT_FACTORY,
> > >> "com.sun.jndi.ldap.LdapCtxFactory");
> > >>             env.put(Context.PROVIDER_URL, "ldap://localhost:10389");
> > >>             //
> > >>             env.put(Context.SECURITY_AUTHENTICATION, "simple");
> > >>             env.put(Context.SECURITY_PRINCIPAL,
> > >> "uid=Sathya,ou=people,dc=example,dc=com");
> > >>             env.put(Context.SECURITY_CREDENTIALS, "helloworld");
> > >>
> > >>             // Create the initial context
> > >>
> > >>             DirContext ctx = new InitialDirContext(env);
> > >>
> > >> I created this user account almost an hour ago but the authentication
> > still
> > >> goes through successfully. Anything I am missing here?
> > >>
> > >> Thanks.
> > >>
> > > --
> > > Kiran Ayyagari
> > > http://keydap.com
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message