directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: [ApacheDS | LDAP API] changing expired passwords
Date Mon, 07 Aug 2017 21:48:11 GMT
Hi Mike,


sorry for having left this pb aside (was working on a more important
release : a baby ;-)


You should xreate a JIRA with a description of the problem (copy/paste
the contet of your mail should be good enough).


I can't guarantee a quick fix, being pretty busy atm, but I'll have a
look. Please ping me if you don't see a response after a few days.


Thanks !


Le 08/06/2017 à 20:32, Mike Davis a écrit :
> I know this is going back a few months, but was this issue ever addressed? 
> We've got some planned changes that involve a 3rd party tool that is going 
> to make this issue very difficult for us to address in code.
>
> Last I heard from Emmanuel on this is likely a bug, and should be fixed 
> urgently. I'm not finding anything obvious in issues.apache.org that relates 
> to this.
>
> -----Original Message-----
> From: Mike Davis [mailto:mdavis@rez1.com]
> Sent: Wednesday, November 02, 2016 9:51 AM
> To: users@directory.apache.org
> Subject: RE: [ApacheDS | LDAP API] changing expired passwords
>
>
>
> Thanks. I was considering grace logins as a work around. Not my ideal 
> scenario, but should work.
>
>
> Ideally, this work around should not be needed.
>
>
>
>
> Get Outlook for Android
>
>
>
>
>
>
> On Wed, Nov 2, 2016 at 9:46 AM -0400, "Accorsi, Carlo" 
> <Carlo.Accorsi@siemens.com> wrote:
>
>
>
>
>
>
> Hi - We're using API M32 and a server version a few releases back.
>
> We use the grace logins to raise errors (to change the password) before it's 
> actually expired & locked.
>
> In the password policy we set the attribute ads-pwdgraceauthnlimit=4.  The 
> user then gets 4 more attempts to login after the password is expired but 
> before it's locked out. You'll need to raise an error or warning so that 
> they do it but a valid password gives them a few more logins. The 
> PasswordPolicyResponse  getGraceAuthNRemaining()  method indicates how many 
> grace logins are left for the user.  We were not able to get the safe 
> password function working, we just bind with the creds one last time before 
> resetting the password using an admin bind. (This isn't ideal however 
> because it uses one of the user's grace logins. So with the grace value set 
> to 4, we only allow 3 grace logins, saving the last one for the password 
> reset).
>
>  Here are some code snips and hope it helps.
>
> /**Determine if user password is expired and all grace logins are used from 
> PasswordPolicyResponse code.
> 	 * @param ctrl The PasswordPolicyResponse object containing the response 
> code
> 	 * @return true when the password and grace logins are expired and the user 
> cannot login, false otherwise.
> 	 */
> 	public static boolean isPasswordExpiredLocked(PasswordPolicyResponse ctrl)
> 	{
> 		if (ctrl != null){
> 			// two grace logins are needed. One to login, one to change the password.
> 			// Account must lock if only one grace login remains because there are no 
> binds left to change it.
>
> 			// Password is forced to change, but there are no expire warnings, ok.
> 			if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == 
> ctrl.getPasswordPolicyError() &&
> 					ctrl.getGraceAuthNRemaining() == -1 )
> 			{
> 				return false;
> 			}
>
> 			// Password is expired and there are no grace logins to clear it, fail.
> 			if ((ctrl.getTimeBeforeExpiration() == -1  && 
> ctrl.getGraceAuthNRemaining() <= 1)
> 					 || PasswordPolicyErrorEnum.PASSWORD_EXPIRED == 
> ctrl.getPasswordPolicyError()) // need to set expired flag.
> 			{
> 				return true;
> 			}
> 		}
> 		return false;
> 	}
>
>
> 	/**Determine if user password must change from PasswordPolicyResponse code.
> 	 * @param ctrl The PasswordPolicyResponse object containing the response 
> code
> 	 * @return true when the password must change, false otherwise.
> 	 */
> 	public static boolean isPasswordMustChange(PasswordPolicyResponse ctrl)
> 	{
> 		if (ctrl != null){
> 			if (ctrl.getTimeBeforeExpiration() == -1 ||
> 					(ctrl.getGraceAuthNRemaining() <= 2 && ctrl.getGraceAuthNRemaining()

>  > -1)) // need to reset before LAST 2 logins
> 			{
> 				//System.out.println("Password must change. Expired in " + 
> ctrl.getTimeBeforeExpiration()+ " seconds, " + 
> ctrl.getGraceLoginsRemaining() + " logins remain . ");
> 				return true;
> 			}
> 			if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == 
> ctrl.getPasswordPolicyError())
> 			{
> 				//System.out.println("Password was changed by admin and must change. ");
> 				return true;
> 			}
> 			if (PasswordPolicyErrorEnum.PASSWORD_EXPIRED == 
> ctrl.getPasswordPolicyError())
> 			{
> 				//System.out.println("Password has expired and must change. ");
> 				return true;
> 			}
> 		}
> 		return false;
> 	}
>
> //here's our relevant config
>
> dn: 
> ads-pwdId=internal,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> objectClass: top
> objectClass: ads-base
> objectClass: ads-passwordPolicy
> ads-pwdId: internal
> ads-pwdSafeModify: FALSE  // never got this to work. Password reset using 
> admin bind.
> ads-pwdMaxAge: 5184000  // 60 days
> ads-pwdFailureCountInterval: 30
> ads-pwdAttribute: userPassword
> ads-pwdMaxFailure: 5
> ads-pwdLockout: TRUE
> ads-pwdMustChange: FALSE
> ads-pwdLockoutDuration: 0 // lock indefinitely.
> ads-pwdMinLength: 6
> ads-pwdInHistory: 5
> ads-pwdExpireWarning: 345600  // 4 days
> ads-pwdMinAge: 0
> ads-pwdAllowUserChange: TRUE
> ads-pwdGraceAuthNLimit: 4 // allow 4 logins after expired (raising an error 
> each time)
> ads-pwdCheckQuality: 1
> ads-pwdMaxLength: 0
> ads-pwdGraceExpire: 0
> ads-pwdMinDelay: 0
> ads-pwdMaxDelay: 0
> ads-pwdMaxIdle: 0
> ads-enabled: FALSE
>
>
>
> -----Original Message-----
> From: Mike Davis [mailto:mdavis@rez1.com]
> Sent: Wednesday, November 02, 2016 7:36 AM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS | LDAP API] changing expired passwords
>
>
>
> Thanks for the quick response.
>
>
> I have not set any of the grace login parameters at this time.
>
>
>
>
> Get Outlook for Android
>
>
>
> From: Emmanuel Lécharny
>
> Sent: Wednesday, November 2, 4:00 AM
>
> Subject: Re: [ApacheDS | LDAP API] changing expired passwords
>
> To: users@directory.apache.org
>
>
>
> Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue with 
> either Apache DS or the Apache LDAP API, or > both. > > > > Here's the

> scenario. > > > > I have a user whose password is expired. I want to force

> the user to > change their password. However, I can't distinguish between a 
> case where > the user knows the password and where the user doesn't. I 
> always get a > PasswordException with > 
> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and > 
> resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of that,
the 
> LdapConnectionTemplate.modifyPassword() method that > takes old and new 
> password doesn't work, because the library is attempting > to bind with the 
> users old password, and we just get the same > PasswordException as above. 
> If I use the 'asAdmin' flag, then the old > password is never checked. > > >

>  > I don't want to change the password as admin, because I have no way to > 
> validate the user knows his old password. You should not be forced to use 
> the admin flag to change an expired password. There is a paramter 
> (pwdGraceUseTime) that let the user tries up a given delay to change an 
> expired password. What is the value you have set for this parameter ? 
> However, teh default should be infinite. I suspect there is a bug that 
> should be fixed urgently...
> Hi !
>
>
> Le 01/11/16 à 22:03, Mike Davis a écrit :
>> I've run into an issue with either Apache DS or the Apache LDAP API,
>> or both.
>>
>>
>>
>> Here's the scenario.
>>
>>
>>
>> I have a user whose password is expired. I want to force the user to
>> change their password. However, I can't distinguish between a case
>> where the user knows the password and where the user doesn't. I always
>> get a PasswordException with
>> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED  and
>> resultCode = ResultCodeEnum.INVALID_CREDENTIALS.
>>
>>
>>
>> On top of that, the LdapConnectionTemplate.modifyPassword() method
>> that takes old and new password doesn't work, because the library is
>> attempting to bind with the users old password, and we just get the
>> same PasswordException as above. If I use the 'asAdmin' flag, then the
>> old password is never checked.
>>
>>
>>
>> I don't want to change the password as admin, because I have no way to
>> validate the user knows his old password.
> You should not be forced to use the admin flag to change an expired 
> password. There is a paramter (pwdGraceUseTime) that let the user tries up a 
> given delay to change an expired password. What is the value you have set 
> for this parameter ?
>
> However, teh default should be infinite. I suspect there is a bug that 
> should be fixed urgently...
>

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org


Mime
View raw message