Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DE39E173A7 for ; Fri, 6 Mar 2015 13:30:58 +0000 (UTC) Received: (qmail 42012 invoked by uid 500); 6 Mar 2015 13:30:49 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 41968 invoked by uid 500); 6 Mar 2015 13:30:49 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 41957 invoked by uid 99); 6 Mar 2015 13:30:49 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Mar 2015 13:30:49 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [62.153.167.38] (HELO postserver.ibs-ag.de) (62.153.167.38) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Mar 2015 13:30:24 +0000 Received: from postserver.ibs-ag.de (localhost [127.0.0.1]) by postserver.ibs-ag.de (Postfix) with ESMTP id 1D2239F2C5 for ; Fri, 6 Mar 2015 14:29:52 +0100 (CET) Received: from IBSMSX1.ibs-ag.com (ibsmsx1.ibs-ag.com [172.16.0.158]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by postserver.ibs-ag.de (Postfix) with ESMTPS id 1B1979F20D for ; Fri, 6 Mar 2015 14:29:52 +0100 (CET) Received: from IBSMSX2.ibs-ag.com (172.16.0.159) by IBSMSX1.ibs-ag.com (172.16.0.158) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Fri, 6 Mar 2015 14:29:51 +0100 Received: from IBSMSX2.ibs-ag.com ([fe80::911e:84f1:67ff:bcb8]) by IBSMSX2.ibs-ag.com ([fe80::911e:84f1:67ff:bcb8%15]) with mapi id 15.00.1044.021; Fri, 6 Mar 2015 14:29:51 +0100 From: To: Subject: RE: pwdMustChange not working Thread-Topic: pwdMustChange not working Thread-Index: AQHQV2tfvMhYvPDpdU6BX6jMxDV7AJ0ONXrAgACk+YCAAJgoEA== Date: Fri, 6 Mar 2015 13:29:51 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.1.2.78] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org Brock,=20 Not sure about that. The only thing I can think of is you may have the ads-= pwdsafemodify set TRUE.=20 We looked at this feature a couple years ago and I don't think it was imple= mented then but it may be now in M19.=20 If that's the case, you could try setting it FALSE (and restarting).=20 The studio's UI might not have the ability to provide the existing password= while changing. I don't know. If you post the full stack trace of the exception it may offer better clues= . Thanks -----Original Message----- From: brock samson [mailto:brock.samson_@hotmail.com]=20 Sent: Friday, March 06, 2015 12:19 AM To: users@directory.apache.org Subject: RE: pwdMustChange not working Carlo, thank you for such detailed description. i never mentioned in my initial post that i already had pwdPolicySubentry p= laced as a user's attribute, though its value is pointing to ads-pwdId=3Dde= fault,ou=3DpasswordPolicies,ads-interceptorId=3DauthenticationInterceptor,o= u=3Dinterceptors,adsdirectoryServiceId=3Ddefault,ou=3Dconfig, which is the = ootb password policy. the part that i did not perform was having the admin = change that user's password which results in pwdReset attribute being set. = yet when i signed in as an admin (uid=3Dadmin,ou=3Dsystem) to apache studio= and then proceeded to change a user's (uid=3Dbob,ou=3Dusers,o=3Dmycompany)= passwod, i got the following error: LdapNoPermissionException: trying to u= pdate password attribute without the supplying the old password. do you kno= w what i am doing wrong? should an admin be forced to enter an old password= ? if that is the case, how do i make apache studio do that? thanks. > From: Carlo.Accorsi@ibs-ag.com > To: users@directory.apache.org > Subject: RE: pwdMustChange not working > Date: Thu, 5 Mar 2015 19:04:58 +0000 >=20 > Hi, we've been that feature for quite some time to force a user to change= their password after it's been reset by an admin.=20 >=20 > Make sure the user(s) you want this to affect have the pwdPolicySubEntry = attribute set on their entry with the DN of the password policy entry. >=20 > For example >=20 > dn: uid=3Djsmith,ou=3Dusers,ou=3Dint,o=3Dcompany > uid: jsmith > cn: jsmith > ... > pwdPolicySubEntry: ads-pwdId=3DinternalUsers,ou=3DpasswordPolicies,ads-in= terceptorId=3DauthenticationInterceptor,ou=3Dinterceptors,adsdirectoryServi= ceId=3Ddefault,ou=3D > config >=20 > Then on the policy entry itself, the attribute ads-pwdmustchange must be = set TRUE.=20 > And he policy must be enabled, ads-enabled=3DTRUE >=20 > If you've made changes to the policy, restart the server.=20 >=20 > Then if an admin, using the bind credentials (uid=3Dadmin,ou=3Dsystem) se= ts the password for jsmith, the pwdReset attribute is added to their user = entry. > The next time jsmith binds with their credentials, you get a signal that = the password must change in the bind response.=20 > Here's some pseudo code: >=20 > BindRequest bindRequest =3D new BindRequestImpl(); > bindRequest.setDn(dn); > bindRequest.setCredentials(strPassword); >=20 > LdapApiService codec =3D LdapApiServiceFactory.getSingleton(); > PasswordPolicyDecorator pwCtrl =3D new PasswordPolicyDecorator(codec,n= ew PasswordPolicyImpl()); =20 > =09 > bindRequest.addControl(pwCtrl); > BindResponse bindResponse =3D connection.bind(bindRequest); > PasswordPolicyResponse pw =3D null; > PasswordPolicy pwPolicy =3D ((PasswordPolicyDecorator)ctrl).getDecorat= ed(); >=20 > if (pwPolicy.hasResponse()) > { > pw =3D pwPolicy.getResponse(); > // process password response. =09 >=20 > if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET =3D=3D ctrl.getPassword= PolicyError()) =20 > { > // this will be true when the pwdRest attr is present on the user. > // call your change password code here > } >=20 >=20 > } >=20 > After the jsmith user changes their password (with their credentials) the= pwdReset attribute is removed from their entry. >=20 > =09 > Hope this helps. >=20 >=20 > -----Original Message----- > From: brock samson [mailto:brock.samson_@hotmail.com]=20 > Sent: Thursday, March 05, 2015 12:39 PM > To: users@directory.apache.org > Subject: pwdMustChange not working >=20 > i am running apacheds2-M19, and changing pwdMustChange password policy at= tribute's value from FALSE to TRUE does not have any effect. after server r= estart and using the typical LdapNetworkConnection.bind() function, and res= ponse is marked with SUCCESS. also, despite very good description of pretty= much every password policy attribute on your doc site, there is absolutely= nothing written about this particular attribute. > =20 =20