directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sathya S <sathya.skr...@gmail.com>
Subject Re: Password expiry enforcement
Date Tue, 20 May 2014 05:58:40 GMT
Thank you Carlo and Kiran. Setting the system property solves the problem.

But Kiran- I *am* using the ApacheDS directory client and still seem to
need to use the system setting.

I am using the api-all-1.0.0-M22.jar version package. My imports-

import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicy;
import
org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicyImpl;
import
org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator;
import org.apache.directory.api.ldap.model.message.BindRequest;
import org.apache.directory.api.ldap.model.message.BindRequestImpl;
import org.apache.directory.api.ldap.model.message.BindResponse;
import org.apache.directory.api.ldap.model.message.Control;
import org.apache.directory.api.ldap.model.message.Response;
import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.ldap.client.api.LdapConnection;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;





On Tue, May 20, 2014 at 6:56 AM, Kiran Ayyagari <kayyagari@apache.org>wrote:

> On Tue, May 20, 2014 at 3:11 AM, <Carlo.Accorsi@ibs-ag.com> wrote:
>
> > Hi,
> > I had the same issue last year and Kiran suggested adding this line
> > somewhere in your code.
> >
> > System.setProperty("extra.controls",
> >
> "org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyFactory");
> >
> > yes, and this is not needed if you are using client API version >=
> 1.0.0-M21
>
> > I put it in the static initializer of the class that handles the pw
> policy
> > responses. Worked for me.
> >
> >
> >
> > -----Original Message-----
> > From: Sathya S [mailto:sathya.skr.75@gmail.com]
> > Sent: Monday, May 19, 2014 5:17 PM
> > To: users@directory.apache.org
> > Subject: Re: Password expiry enforcement
> >
> > Thanks,
> >
> > I am trying out code from :
> >
> >
> svn.apache.org/repos/asf/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java
> >
> > I am facing an issue when trying to access the PasswordPolicy -
> >            PasswordPolicy PP_REQ_CTRL = new PasswordPolicyImpl();
> >
> >             BindRequest bindReq = new BindRequestImpl();
> >             bindReq.setDn(new
> > Dn("uid=SathyaSkr,ou=people,dc=example,dc=com"));
> >             bindReq.setCredentials("helloworld");
> >             bindReq.addControl(PP_REQ_CTRL);
> >
> >             LdapConnection userCon = new
> LdapNetworkConnection("localhost",
> >                     10389);
> >             BindResponse bindResp = userCon.bind(bindReq);
> >
> >            Control control = bindResp
> > .getControls().get("1.3.6.1.4.1.42.2.27.8.5.1");
> >           PasswordPolicy policy = ((PasswordPolicyDecorator)
> > control).getDecorated();
> >
> > The last line throws me this exception:
> > java.lang.ClassCastException:
> > org.apache.directory.api.ldap.codec.BasicControlDecorator cannot be cast
> > to
> >
> org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator
> >
> > This is the config on my server:
> >
> > dn:
> >
> >
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
> >  eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > ads-pwdminlength: 7
> > ads-pwdinhistory: 5
> > ads-pwdid: default
> > ads-pwdcheckquality: 1
> > ads-pwdlockout: TRUE
> > ads-pwdlockoutduration: 0
> > ads-pwdMaxAge: 120
> > ads-pwdvalidator: com.sathya.MyPasswordPolicy
> > ads-pwdmaxfailure: 5
> > ads-pwdattribute: userPassword
> > ads-pwdfailurecountinterval: 30
> > entryParentId: 9d1262c2-6583-4dca-9abb-7b470cfd6b25
> > ads-enabled: TRUE
> > objectclass: top
> > objectclass: ads-base
> > objectclass: ads-passwordPolicy
> > entryuuid: 7706635b-3da4-4c9b-aefd-bf059d38868d
> > ads-pwdgraceauthnlimit: 1
> > entryCSN: 20140519205014.514000Z#000000#001#000000
> > modifyTimestamp: 20140519205014.514Z
> > ads-pwdExpireWarning: 60
> >
> > Any input?
> >
> >
> >
> > On Mon, May 19, 2014 at 8:31 PM, Kiran Ayyagari <kayyagari@apache.org
> > >wrote:
> >
> > > On Mon, May 19, 2014 at 5:31 PM, Sathya Skr 75
> > > <sathya.skr.75@gmail.com
> > > >wrote:
> > >
> > > > Brilliant!! Thanks so much Kiran. That worked.
> > > >
> > > > But still don't get a warning before expiry. Some of my friends said
> > > > that this is something that needs to be built into the calling code
> > > > and not something that apacheds provides out of the box. Is that
> right?
> > > >
> > >  you need to send password policy request control (OID is
> > > 1.3.6.1.4.1.42.2.27.8.5.1) to get the warning back, note that the
> > > error/warning will be present in the password policy response control
> > > present in the bind response
> > >
> > > >
> > > > —
> > > > Sent from Mailbox
> > > >
> > > > On Sun, May 18, 2014 at 6:33 PM, Kiran Ayyagari
> > > > <kayyagari@apache.org>
> > > > wrote:
> > > >
> > > > > On Sat, May 17, 2014 at 7:18 PM, Sathya S
> > > > > <sathya.skr.75@gmail.com>
> > > > wrote:
> > > > >> I am continuing on my experiments with getting password policies
> > > > >> functioning on ApacheDS and I am trying to enable password expiry
> > > > >> and
> > > a
> > > > >> warning before the expiry.
> > > > >>
> > > > >> This is what I have configured on the server:
> > > > >>
> > > > >> dn:
> > > > >>
> > > > >>
> > > >
> > > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authentication
> > > Interc
> > > > >>  eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > > > >> ads-pwdminlength: 7
> > > > >> ads-pwdinhistory: 5
> > > > >> ads-pwdid: default
> > > > >> ads-pwdcheckquality: 1
> > > > >> ads-pwdlockout: TRUE
> > > > >> ads-pwdlockoutduration: 0
> > > > >>
> > > > >> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180* ...
> > > > >>
> > > > >> My understanding of this is that a user's password is valid for
5
> > > > minutes
> > > > >> after which authentication would fail. After 3 minutes up to
5
> > > minutes,
> > > > he
> > > > >> would be able to login, but would receive a warning about
> > > > >> impending
> > > > expiry.
> > > > >> Is that correct?
> > > > >>
> > > > >> yes, but you need to configure ads-pwdgraceauthnlimit (to >0)
as
> > > > >> well,
> > > > > otherwise bind operation
> > > > > always accepts the expired password
> > > > >> I restarted the server after making the above change.
> > > > >>
> > > > >> I have the below Java code to authenticate the user:
> > > > >>
> > > > >>             Hashtable<String, String> env = new Hashtable<String,
> > > > >> String>();
> > > > >>             env.put(Context.INITIAL_CONTEXT_FACTORY,
> > > > >> "com.sun.jndi.ldap.LdapCtxFactory");
> > > > >>             env.put(Context.PROVIDER_URL,
> "ldap://localhost:10389");
> > > > >>             //
> > > > >>             env.put(Context.SECURITY_AUTHENTICATION, "simple");
> > > > >>             env.put(Context.SECURITY_PRINCIPAL,
> > > > >> "uid=Sathya,ou=people,dc=example,dc=com");
> > > > >>             env.put(Context.SECURITY_CREDENTIALS, "helloworld");
> > > > >>
> > > > >>             // Create the initial context
> > > > >>
> > > > >>             DirContext ctx = new InitialDirContext(env);
> > > > >>
> > > > >> I created this user account almost an hour ago but the
> > > > >> authentication
> > > > still
> > > > >> goes through successfully. Anything I am missing here?
> > > > >>
> > > > >> Thanks.
> > > > >>
> > > > > --
> > > > > Kiran Ayyagari
> > > > > http://keydap.com
> > > >
> > >
> > >
> > >
> > > --
> > > Kiran Ayyagari
> > > http://keydap.com
> > >
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message