directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: pwdMustChange not working
Date Sun, 08 Mar 2015 10:00:08 GMT
On Sun, Mar 8, 2015 at 12:33 PM, brock samson <brock.samson_@hotmail.com>
wrote:

> Carlo,
>
> you are correct. pwdSafeModify value was TRUE. so after resetting it back
> to FALSE and restarting, everything is working as you described in your
> last post, thank you!
>
> however, the question remains to everyone else about pwdSafeModify
> attribute's value being TRUE and an admin changing some user's password via
> apache studio. as i stated in previous post, such action results in an
> error where apache studio asks for user's original password. my question is
> how to disclose this original password in apache studio?
>
for admin it shouldn't ask for old password, it is a bug, can you file a
bug report on JIRA?

>
> > From: Carlo.Accorsi@ibs-ag.com
> > To: users@directory.apache.org
> > Subject: RE: pwdMustChange not working
> > Date: Fri, 6 Mar 2015 13:29:51 +0000
> >
> > Brock,
> > Not sure about that. The only thing I can think of is you may have the
> ads-pwdsafemodify set TRUE.
> > We looked at this feature a couple years ago and I don't think it was
> implemented then but it may be now in M19.
> > If that's the case, you could try setting it FALSE (and restarting).
> > The studio's UI might not have the ability to provide the existing
> password while changing. I don't know.
> > If you post the full stack trace of the exception it may offer better
> clues.  Thanks
> >
> >
> > -----Original Message-----
> > From: brock samson [mailto:brock.samson_@hotmail.com]
> > Sent: Friday, March 06, 2015 12:19 AM
> > To: users@directory.apache.org
> > Subject: RE: pwdMustChange not working
> >
> > Carlo,
> >
> > thank you for such detailed description.
> > i never mentioned in my initial post that i already had
> pwdPolicySubentry placed as a user's attribute, though its value is
> pointing to
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=config,
> which is the ootb password policy. the part that i did not perform was
> having the admin change that user's password which results in pwdReset
> attribute being set. yet when i signed in as an admin (uid=admin,ou=system)
> to apache studio and then proceeded to change a user's
> (uid=bob,ou=users,o=mycompany) passwod, i got the following error:
> LdapNoPermissionException: trying to update password attribute without the
> supplying the old password. do you know what i am doing wrong? should an
> admin be forced to enter an old password? if that is the case, how do i
> make apache studio do that? thanks.
> >
> > > From: Carlo.Accorsi@ibs-ag.com
> > > To: users@directory.apache.org
> > > Subject: RE: pwdMustChange not working
> > > Date: Thu, 5 Mar 2015 19:04:58 +0000
> > >
> > > Hi, we've been that feature for quite some time to force a user to
> change their password after it's been reset by an admin.
> > >
> > > Make sure the user(s) you want this to affect have the
> pwdPolicySubEntry attribute set on their entry with the  DN of the password
> policy entry.
> > >
> > > For example
> > >
> > > dn: uid=jsmith,ou=users,ou=int,o=company
> > > uid: jsmith
> > > cn: jsmith
> > > ...
> > > pwdPolicySubEntry:
> ads-pwdId=internalUsers,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=
> > >  config
> > >
> > > Then on the policy entry itself, the attribute ads-pwdmustchange must
> be set TRUE.
> > > And he policy must be enabled, ads-enabled=TRUE
> > >
> > > If you've made changes to the policy, restart the server.
> > >
> > > Then if an admin, using the bind credentials (uid=admin,ou=system)
> sets the password for jsmith, the  pwdReset attribute is added to their
> user entry.
> > > The next time jsmith binds with their credentials, you get a signal
> that the password must change in the bind response.
> > > Here's some pseudo code:
> > >
> > >                     BindRequest bindRequest = new BindRequestImpl();
> > >                     bindRequest.setDn(dn);
> > >                     bindRequest.setCredentials(strPassword);
> > >
> > >                     LdapApiService codec =
> LdapApiServiceFactory.getSingleton();
> > >                     PasswordPolicyDecorator pwCtrl = new
> PasswordPolicyDecorator(codec,new PasswordPolicyImpl());
> > >
> > >                     bindRequest.addControl(pwCtrl);
> > >                     BindResponse bindResponse =
> connection.bind(bindRequest);
> > >                     PasswordPolicyResponse pw = null;
> > >                     PasswordPolicy pwPolicy =
> ((PasswordPolicyDecorator)ctrl).getDecorated();
> > >
> > >             if (pwPolicy.hasResponse())
> > >             {
> > >                     pw = pwPolicy.getResponse();
> > >                     // process password response.
> > >
> > >                     if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET ==
> ctrl.getPasswordPolicyError())
> > >                             {
> > >                             // this will be true when the pwdRest attr
> is present on the user.
> > >                             // call your change password code here
> > >                             }
> > >
> > >
> > >             }
> > >
> > > After the jsmith user changes their password (with their credentials)
> the pwdReset attribute is removed from their entry.
> > >
> > >
> > >  Hope this helps.
> > >
> > >
> > > -----Original Message-----
> > > From: brock samson [mailto:brock.samson_@hotmail.com]
> > > Sent: Thursday, March 05, 2015 12:39 PM
> > > To: users@directory.apache.org
> > > Subject: pwdMustChange not working
> > >
> > > i am running apacheds2-M19, and changing pwdMustChange password policy
> attribute's value from FALSE to TRUE does not have any effect. after server
> restart and using the typical LdapNetworkConnection.bind() function, and
> response is marked with SUCCESS. also, despite very good description of
> pretty much every password policy attribute on your doc site, there is
> absolutely nothing written about this particular attribute.
> > >
> >
>
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message