directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Davis <mda...@rez1.com>
Subject RE: [ApacheDS | LDAP API] changing expired passwords
Date Tue, 08 Aug 2017 21:11:34 GMT
Ah, right. Congratulations!

I created DIRAPI-299.

Thanks for all your help with this.

-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Monday, August 07, 2017 5:48 PM
To: users@directory.apache.org
Subject: Re: [ApacheDS | LDAP API] changing expired passwords

Hi Mike,


sorry for having left this pb aside (was working on a more important release 
: a baby ;-)


You should xreate a JIRA with a description of the problem (copy/paste the 
contet of your mail should be good enough).


I can't guarantee a quick fix, being pretty busy atm, but I'll have a look. 
Please ping me if you don't see a response after a few days.


Thanks !


Le 08/06/2017 à 20:32, Mike Davis a écrit :
> I know this is going back a few months, but was this issue ever addressed?
> We've got some planned changes that involve a 3rd party tool that is
> going to make this issue very difficult for us to address in code.
>
> Last I heard from Emmanuel on this is likely a bug, and should be
> fixed urgently. I'm not finding anything obvious in issues.apache.org
> that relates to this.
>
> -----Original Message-----
> From: Mike Davis [mailto:mdavis@rez1.com]
> Sent: Wednesday, November 02, 2016 9:51 AM
> To: users@directory.apache.org
> Subject: RE: [ApacheDS | LDAP API] changing expired passwords
>
>
>
> Thanks. I was considering grace logins as a work around. Not my ideal
> scenario, but should work.
>
>
> Ideally, this work around should not be needed.
>
>
>
>
> Get Outlook for Android
>
>
>
>
>
>
> On Wed, Nov 2, 2016 at 9:46 AM -0400, "Accorsi, Carlo"
> <Carlo.Accorsi@siemens.com> wrote:
>
>
>
>
>
>
> Hi - We're using API M32 and a server version a few releases back.
>
> We use the grace logins to raise errors (to change the password)
> before it's actually expired & locked.
>
> In the password policy we set the attribute ads-pwdgraceauthnlimit=4.
> The user then gets 4 more attempts to login after the password is
> expired but before it's locked out. You'll need to raise an error or
> warning so that they do it but a valid password gives them a few more
> logins. The PasswordPolicyResponse  getGraceAuthNRemaining()  method
> indicates how many grace logins are left for the user.  We were not
> able to get the safe password function working, we just bind with the
> creds one last time before resetting the password using an admin bind.
> (This isn't ideal however because it uses one of the user's grace
> logins. So with the grace value set to 4, we only allow 3 grace
> logins, saving the last one for the password reset).
>
>  Here are some code snips and hope it helps.
>
> /**Determine if user password is expired and all grace logins are used
> from PasswordPolicyResponse code.
> 	 * @param ctrl The PasswordPolicyResponse object containing the
> response code
> 	 * @return true when the password and grace logins are expired and
> the user cannot login, false otherwise.
> 	 */
> 	public static boolean isPasswordExpiredLocked(PasswordPolicyResponse 
> ctrl)
> 	{
> 		if (ctrl != null){
> 			// two grace logins are needed. One to login, one to change the 
> password.
> 			// Account must lock if only one grace login remains because there
> are no binds left to change it.
>
> 			// Password is forced to change, but there are no expire warnings, ok.
> 			if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET ==
> ctrl.getPasswordPolicyError() &&
> 					ctrl.getGraceAuthNRemaining() == -1 )
> 			{
> 				return false;
> 			}
>
> 			// Password is expired and there are no grace logins to clear it, fail.
> 			if ((ctrl.getTimeBeforeExpiration() == -1  &&
> ctrl.getGraceAuthNRemaining() <= 1)
> 					 || PasswordPolicyErrorEnum.PASSWORD_EXPIRED ==
> ctrl.getPasswordPolicyError()) // need to set expired flag.
> 			{
> 				return true;
> 			}
> 		}
> 		return false;
> 	}
>
>
> 	/**Determine if user password must change from PasswordPolicyResponse 
> code.
> 	 * @param ctrl The PasswordPolicyResponse object containing the response
> code
> 	 * @return true when the password must change, false otherwise.
> 	 */
> 	public static boolean isPasswordMustChange(PasswordPolicyResponse ctrl)
> 	{
> 		if (ctrl != null){
> 			if (ctrl.getTimeBeforeExpiration() == -1 ||
> 					(ctrl.getGraceAuthNRemaining() <= 2 && ctrl.getGraceAuthNRemaining()
>  > -1)) // need to reset before LAST 2 logins
> 			{
> 				//System.out.println("Password must change. Expired in " +
> ctrl.getTimeBeforeExpiration()+ " seconds, " +
> ctrl.getGraceLoginsRemaining() + " logins remain . ");
> 				return true;
> 			}
> 			if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET ==
> ctrl.getPasswordPolicyError())
> 			{
> 				//System.out.println("Password was changed by admin and must change. 
> ");
> 				return true;
> 			}
> 			if (PasswordPolicyErrorEnum.PASSWORD_EXPIRED ==
> ctrl.getPasswordPolicyError())
> 			{
> 				//System.out.println("Password has expired and must change. ");
> 				return true;
> 			}
> 		}
> 		return false;
> 	}
>
> //here's our relevant config
>
> dn:
> ads-pwdId=internal,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> objectClass: top
> objectClass: ads-base
> objectClass: ads-passwordPolicy
> ads-pwdId: internal
> ads-pwdSafeModify: FALSE  // never got this to work. Password reset using
> admin bind.
> ads-pwdMaxAge: 5184000  // 60 days
> ads-pwdFailureCountInterval: 30
> ads-pwdAttribute: userPassword
> ads-pwdMaxFailure: 5
> ads-pwdLockout: TRUE
> ads-pwdMustChange: FALSE
> ads-pwdLockoutDuration: 0 // lock indefinitely.
> ads-pwdMinLength: 6
> ads-pwdInHistory: 5
> ads-pwdExpireWarning: 345600  // 4 days
> ads-pwdMinAge: 0
> ads-pwdAllowUserChange: TRUE
> ads-pwdGraceAuthNLimit: 4 // allow 4 logins after expired (raising an 
> error
> each time)
> ads-pwdCheckQuality: 1
> ads-pwdMaxLength: 0
> ads-pwdGraceExpire: 0
> ads-pwdMinDelay: 0
> ads-pwdMaxDelay: 0
> ads-pwdMaxIdle: 0
> ads-enabled: FALSE
>
>
>
> -----Original Message-----
> From: Mike Davis [mailto:mdavis@rez1.com]
> Sent: Wednesday, November 02, 2016 7:36 AM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS | LDAP API] changing expired passwords
>
>
>
> Thanks for the quick response.
>
>
> I have not set any of the grace login parameters at this time.
>
>
>
>
> Get Outlook for Android
>
>
>
> From: Emmanuel Lécharny
>
> Sent: Wednesday, November 2, 4:00 AM
>
> Subject: Re: [ApacheDS | LDAP API] changing expired passwords
>
> To: users@directory.apache.org
>
>
>
> Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue 
> with
> either Apache DS or the Apache LDAP API, or > both. > > > > Here's the
> scenario. > > > > I have a user whose password is expired. I want to force
> the user to > change their password. However, I can't distinguish between 
> a
> case where > the user knows the password and where the user doesn't. I
> always get a > PasswordException with >
> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and >
> resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of that,

> the
> LdapConnectionTemplate.modifyPassword() method that > takes old and new
> password doesn't work, because the library is attempting > to bind with 
> the
> users old password, and we just get the same > PasswordException as above.
> If I use the 'asAdmin' flag, then the old > password is never checked. > > 
>  >
>  > I don't want to change the password as admin, because I have no way to 
>  >
> validate the user knows his old password. You should not be forced to use
> the admin flag to change an expired password. There is a paramter
> (pwdGraceUseTime) that let the user tries up a given delay to change an
> expired password. What is the value you have set for this parameter ?
> However, teh default should be infinite. I suspect there is a bug that
> should be fixed urgently...
> Hi !
>
>
> Le 01/11/16 à 22:03, Mike Davis a écrit :
>> I've run into an issue with either Apache DS or the Apache LDAP API,
>> or both.
>>
>>
>>
>> Here's the scenario.
>>
>>
>>
>> I have a user whose password is expired. I want to force the user to
>> change their password. However, I can't distinguish between a case
>> where the user knows the password and where the user doesn't. I always
>> get a PasswordException with
>> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED  and
>> resultCode = ResultCodeEnum.INVALID_CREDENTIALS.
>>
>>
>>
>> On top of that, the LdapConnectionTemplate.modifyPassword() method
>> that takes old and new password doesn't work, because the library is
>> attempting to bind with the users old password, and we just get the
>> same PasswordException as above. If I use the 'asAdmin' flag, then the
>> old password is never checked.
>>
>>
>>
>> I don't want to change the password as admin, because I have no way to
>> validate the user knows his old password.
> You should not be forced to use the admin flag to change an expired
> password. There is a paramter (pwdGraceUseTime) that let the user tries up 
> a
> given delay to change an expired password. What is the value you have set
> for this parameter ?
>
> However, teh default should be infinite. I suspect there is a bug that
> should be fixed urgently...
>

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org


Mime
View raw message