directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Davis <mda...@rez1.com>
Subject RE: [ApacheDS | LDAP API] changing expired passwords
Date Thu, 08 Jun 2017 18:32:03 GMT
I know this is going back a few months, but was this issue ever addressed? 
We've got some planned changes that involve a 3rd party tool that is going 
to make this issue very difficult for us to address in code.

Last I heard from Emmanuel on this is likely a bug, and should be fixed 
urgently. I'm not finding anything obvious in issues.apache.org that relates 
to this.

-----Original Message-----
From: Mike Davis [mailto:mdavis@rez1.com]
Sent: Wednesday, November 02, 2016 9:51 AM
To: users@directory.apache.org
Subject: RE: [ApacheDS | LDAP API] changing expired passwords



Thanks. I was considering grace logins as a work around. Not my ideal 
scenario, but should work.


Ideally, this work around should not be needed.




Get Outlook for Android






On Wed, Nov 2, 2016 at 9:46 AM -0400, "Accorsi, Carlo" 
<Carlo.Accorsi@siemens.com> wrote:






Hi - We're using API M32 and a server version a few releases back.

We use the grace logins to raise errors (to change the password) before it's 
actually expired & locked.

In the password policy we set the attribute ads-pwdgraceauthnlimit=4.  The 
user then gets 4 more attempts to login after the password is expired but 
before it's locked out. You'll need to raise an error or warning so that 
they do it but a valid password gives them a few more logins. The 
PasswordPolicyResponse  getGraceAuthNRemaining()  method indicates how many 
grace logins are left for the user.  We were not able to get the safe 
password function working, we just bind with the creds one last time before 
resetting the password using an admin bind. (This isn't ideal however 
because it uses one of the user's grace logins. So with the grace value set 
to 4, we only allow 3 grace logins, saving the last one for the password 
reset).

 Here are some code snips and hope it helps.

/**Determine if user password is expired and all grace logins are used from 
PasswordPolicyResponse code.
	 * @param ctrl The PasswordPolicyResponse object containing the response 
code
	 * @return true when the password and grace logins are expired and the user 
cannot login, false otherwise.
	 */
	public static boolean isPasswordExpiredLocked(PasswordPolicyResponse ctrl)
	{
		if (ctrl != null){
			// two grace logins are needed. One to login, one to change the password.
			// Account must lock if only one grace login remains because there are no 
binds left to change it.

			// Password is forced to change, but there are no expire warnings, ok.
			if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == 
ctrl.getPasswordPolicyError() &&
					ctrl.getGraceAuthNRemaining() == -1 )
			{
				return false;
			}

			// Password is expired and there are no grace logins to clear it, fail.
			if ((ctrl.getTimeBeforeExpiration() == -1  && 
ctrl.getGraceAuthNRemaining() <= 1)
					 || PasswordPolicyErrorEnum.PASSWORD_EXPIRED == 
ctrl.getPasswordPolicyError()) // need to set expired flag.
			{
				return true;
			}
		}
		return false;
	}


	/**Determine if user password must change from PasswordPolicyResponse code.
	 * @param ctrl The PasswordPolicyResponse object containing the response 
code
	 * @return true when the password must change, false otherwise.
	 */
	public static boolean isPasswordMustChange(PasswordPolicyResponse ctrl)
	{
		if (ctrl != null){
			if (ctrl.getTimeBeforeExpiration() == -1 ||
					(ctrl.getGraceAuthNRemaining() <= 2 && ctrl.getGraceAuthNRemaining() 
 > -1)) // need to reset before LAST 2 logins
			{
				//System.out.println("Password must change. Expired in " + 
ctrl.getTimeBeforeExpiration()+ " seconds, " + 
ctrl.getGraceLoginsRemaining() + " logins remain . ");
				return true;
			}
			if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == 
ctrl.getPasswordPolicyError())
			{
				//System.out.println("Password was changed by admin and must change. ");
				return true;
			}
			if (PasswordPolicyErrorEnum.PASSWORD_EXPIRED == 
ctrl.getPasswordPolicyError())
			{
				//System.out.println("Password has expired and must change. ");
				return true;
			}
		}
		return false;
	}

//here's our relevant config

dn: 
ads-pwdId=internal,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
objectClass: top
objectClass: ads-base
objectClass: ads-passwordPolicy
ads-pwdId: internal
ads-pwdSafeModify: FALSE  // never got this to work. Password reset using 
admin bind.
ads-pwdMaxAge: 5184000  // 60 days
ads-pwdFailureCountInterval: 30
ads-pwdAttribute: userPassword
ads-pwdMaxFailure: 5
ads-pwdLockout: TRUE
ads-pwdMustChange: FALSE
ads-pwdLockoutDuration: 0 // lock indefinitely.
ads-pwdMinLength: 6
ads-pwdInHistory: 5
ads-pwdExpireWarning: 345600  // 4 days
ads-pwdMinAge: 0
ads-pwdAllowUserChange: TRUE
ads-pwdGraceAuthNLimit: 4 // allow 4 logins after expired (raising an error 
each time)
ads-pwdCheckQuality: 1
ads-pwdMaxLength: 0
ads-pwdGraceExpire: 0
ads-pwdMinDelay: 0
ads-pwdMaxDelay: 0
ads-pwdMaxIdle: 0
ads-enabled: FALSE



-----Original Message-----
From: Mike Davis [mailto:mdavis@rez1.com]
Sent: Wednesday, November 02, 2016 7:36 AM
To: users@directory.apache.org
Subject: Re: [ApacheDS | LDAP API] changing expired passwords



Thanks for the quick response.


I have not set any of the grace login parameters at this time.




Get Outlook for Android



From: Emmanuel Lécharny

Sent: Wednesday, November 2, 4:00 AM

Subject: Re: [ApacheDS | LDAP API] changing expired passwords

To: users@directory.apache.org



Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue with 
either Apache DS or the Apache LDAP API, or > both. > > > > Here's the 
scenario. > > > > I have a user whose password is expired. I want to force 
the user to > change their password. However, I can't distinguish between a 
case where > the user knows the password and where the user doesn't. I 
always get a > PasswordException with > 
passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and > 
resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of that, the 
LdapConnectionTemplate.modifyPassword() method that > takes old and new 
password doesn't work, because the library is attempting > to bind with the 
users old password, and we just get the same > PasswordException as above. 
If I use the 'asAdmin' flag, then the old > password is never checked. > > > 
 > I don't want to change the password as admin, because I have no way to > 
validate the user knows his old password. You should not be forced to use 
the admin flag to change an expired password. There is a paramter 
(pwdGraceUseTime) that let the user tries up a given delay to change an 
expired password. What is the value you have set for this parameter ? 
However, teh default should be infinite. I suspect there is a bug that 
should be fixed urgently...
Hi !


Le 01/11/16 à 22:03, Mike Davis a écrit :
> I've run into an issue with either Apache DS or the Apache LDAP API,
> or both.
>
>
>
> Here's the scenario.
>
>
>
> I have a user whose password is expired. I want to force the user to
> change their password. However, I can't distinguish between a case
> where the user knows the password and where the user doesn't. I always
> get a PasswordException with
> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED  and
> resultCode = ResultCodeEnum.INVALID_CREDENTIALS.
>
>
>
> On top of that, the LdapConnectionTemplate.modifyPassword() method
> that takes old and new password doesn't work, because the library is
> attempting to bind with the users old password, and we just get the
> same PasswordException as above. If I use the 'asAdmin' flag, then the
> old password is never checked.
>
>
>
> I don't want to change the password as admin, because I have no way to
> validate the user knows his old password.

You should not be forced to use the admin flag to change an expired 
password. There is a paramter (pwdGraceUseTime) that let the user tries up a 
given delay to change an expired password. What is the value you have set 
for this parameter ?

However, teh default should be infinite. I suspect there is a bug that 
should be fixed urgently...


Mime
View raw message