You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by brock samson <br...@hotmail.com> on 2015/03/05 18:38:48 UTC
pwdMustChange not working
i am running apacheds2-M19, and changing pwdMustChange password policy attribute's value from FALSE to TRUE does not have any effect. after server restart and using the typical LdapNetworkConnection.bind() function, and response is marked with SUCCESS. also, despite very good description of pretty much every password policy attribute on your doc site, there is absolutely nothing written about this particular attribute.
Re: pwdMustChange not working
Posted by Kiran Ayyagari <ka...@apache.org>.
On Sun, Mar 8, 2015 at 12:33 PM, brock samson <br...@hotmail.com>
wrote:
> Carlo,
>
> you are correct. pwdSafeModify value was TRUE. so after resetting it back
> to FALSE and restarting, everything is working as you described in your
> last post, thank you!
>
> however, the question remains to everyone else about pwdSafeModify
> attribute's value being TRUE and an admin changing some user's password via
> apache studio. as i stated in previous post, such action results in an
> error where apache studio asks for user's original password. my question is
> how to disclose this original password in apache studio?
>
for admin it shouldn't ask for old password, it is a bug, can you file a
bug report on JIRA?
>
> > From: Carlo.Accorsi@ibs-ag.com
> > To: users@directory.apache.org
> > Subject: RE: pwdMustChange not working
> > Date: Fri, 6 Mar 2015 13:29:51 +0000
> >
> > Brock,
> > Not sure about that. The only thing I can think of is you may have the
> ads-pwdsafemodify set TRUE.
> > We looked at this feature a couple years ago and I don't think it was
> implemented then but it may be now in M19.
> > If that's the case, you could try setting it FALSE (and restarting).
> > The studio's UI might not have the ability to provide the existing
> password while changing. I don't know.
> > If you post the full stack trace of the exception it may offer better
> clues. Thanks
> >
> >
> > -----Original Message-----
> > From: brock samson [mailto:brock.samson_@hotmail.com]
> > Sent: Friday, March 06, 2015 12:19 AM
> > To: users@directory.apache.org
> > Subject: RE: pwdMustChange not working
> >
> > Carlo,
> >
> > thank you for such detailed description.
> > i never mentioned in my initial post that i already had
> pwdPolicySubentry placed as a user's attribute, though its value is
> pointing to
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=config,
> which is the ootb password policy. the part that i did not perform was
> having the admin change that user's password which results in pwdReset
> attribute being set. yet when i signed in as an admin (uid=admin,ou=system)
> to apache studio and then proceeded to change a user's
> (uid=bob,ou=users,o=mycompany) passwod, i got the following error:
> LdapNoPermissionException: trying to update password attribute without the
> supplying the old password. do you know what i am doing wrong? should an
> admin be forced to enter an old password? if that is the case, how do i
> make apache studio do that? thanks.
> >
> > > From: Carlo.Accorsi@ibs-ag.com
> > > To: users@directory.apache.org
> > > Subject: RE: pwdMustChange not working
> > > Date: Thu, 5 Mar 2015 19:04:58 +0000
> > >
> > > Hi, we've been that feature for quite some time to force a user to
> change their password after it's been reset by an admin.
> > >
> > > Make sure the user(s) you want this to affect have the
> pwdPolicySubEntry attribute set on their entry with the DN of the password
> policy entry.
> > >
> > > For example
> > >
> > > dn: uid=jsmith,ou=users,ou=int,o=company
> > > uid: jsmith
> > > cn: jsmith
> > > ...
> > > pwdPolicySubEntry:
> ads-pwdId=internalUsers,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=
> > > config
> > >
> > > Then on the policy entry itself, the attribute ads-pwdmustchange must
> be set TRUE.
> > > And he policy must be enabled, ads-enabled=TRUE
> > >
> > > If you've made changes to the policy, restart the server.
> > >
> > > Then if an admin, using the bind credentials (uid=admin,ou=system)
> sets the password for jsmith, the pwdReset attribute is added to their
> user entry.
> > > The next time jsmith binds with their credentials, you get a signal
> that the password must change in the bind response.
> > > Here's some pseudo code:
> > >
> > > BindRequest bindRequest = new BindRequestImpl();
> > > bindRequest.setDn(dn);
> > > bindRequest.setCredentials(strPassword);
> > >
> > > LdapApiService codec =
> LdapApiServiceFactory.getSingleton();
> > > PasswordPolicyDecorator pwCtrl = new
> PasswordPolicyDecorator(codec,new PasswordPolicyImpl());
> > >
> > > bindRequest.addControl(pwCtrl);
> > > BindResponse bindResponse =
> connection.bind(bindRequest);
> > > PasswordPolicyResponse pw = null;
> > > PasswordPolicy pwPolicy =
> ((PasswordPolicyDecorator)ctrl).getDecorated();
> > >
> > > if (pwPolicy.hasResponse())
> > > {
> > > pw = pwPolicy.getResponse();
> > > // process password response.
> > >
> > > if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET ==
> ctrl.getPasswordPolicyError())
> > > {
> > > // this will be true when the pwdRest attr
> is present on the user.
> > > // call your change password code here
> > > }
> > >
> > >
> > > }
> > >
> > > After the jsmith user changes their password (with their credentials)
> the pwdReset attribute is removed from their entry.
> > >
> > >
> > > Hope this helps.
> > >
> > >
> > > -----Original Message-----
> > > From: brock samson [mailto:brock.samson_@hotmail.com]
> > > Sent: Thursday, March 05, 2015 12:39 PM
> > > To: users@directory.apache.org
> > > Subject: pwdMustChange not working
> > >
> > > i am running apacheds2-M19, and changing pwdMustChange password policy
> attribute's value from FALSE to TRUE does not have any effect. after server
> restart and using the typical LdapNetworkConnection.bind() function, and
> response is marked with SUCCESS. also, despite very good description of
> pretty much every password policy attribute on your doc site, there is
> absolutely nothing written about this particular attribute.
> > >
> >
>
>
--
Kiran Ayyagari
http://keydap.com
RE: pwdMustChange not working
Posted by Ca...@ibs-ag.com.
Great, and it sounds like you found a bug. Thanks.
-----Original Message-----
From: brock samson [mailto:brock.samson_@hotmail.com]
Sent: Saturday, March 07, 2015 11:33 PM
To: users@directory.apache.org
Subject: RE: pwdMustChange not working
Carlo,
you are correct. pwdSafeModify value was TRUE. so after resetting it back to FALSE and restarting, everything is working as you described in your last post, thank you!
however, the question remains to everyone else about pwdSafeModify attribute's value being TRUE and an admin changing some user's password via apache studio. as i stated in previous post, such action results in an error where apache studio asks for user's original password. my question is how to disclose this original password in apache studio?
> From: Carlo.Accorsi@ibs-ag.com
> To: users@directory.apache.org
> Subject: RE: pwdMustChange not working
> Date: Fri, 6 Mar 2015 13:29:51 +0000
>
> Brock,
> Not sure about that. The only thing I can think of is you may have the ads-pwdsafemodify set TRUE.
> We looked at this feature a couple years ago and I don't think it was implemented then but it may be now in M19.
> If that's the case, you could try setting it FALSE (and restarting).
> The studio's UI might not have the ability to provide the existing password while changing. I don't know.
> If you post the full stack trace of the exception it may offer better clues. Thanks
>
>
> -----Original Message-----
> From: brock samson [mailto:brock.samson_@hotmail.com]
> Sent: Friday, March 06, 2015 12:19 AM
> To: users@directory.apache.org
> Subject: RE: pwdMustChange not working
>
> Carlo,
>
> thank you for such detailed description.
> i never mentioned in my initial post that i already had pwdPolicySubentry placed as a user's attribute, though its value is pointing to ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=config, which is the ootb password policy. the part that i did not perform was having the admin change that user's password which results in pwdReset attribute being set. yet when i signed in as an admin (uid=admin,ou=system) to apache studio and then proceeded to change a user's (uid=bob,ou=users,o=mycompany) passwod, i got the following error: LdapNoPermissionException: trying to update password attribute without the supplying the old password. do you know what i am doing wrong? should an admin be forced to enter an old password? if that is the case, how do i make apache studio do that? thanks.
>
> > From: Carlo.Accorsi@ibs-ag.com
> > To: users@directory.apache.org
> > Subject: RE: pwdMustChange not working
> > Date: Thu, 5 Mar 2015 19:04:58 +0000
> >
> > Hi, we've been that feature for quite some time to force a user to change their password after it's been reset by an admin.
> >
> > Make sure the user(s) you want this to affect have the pwdPolicySubEntry attribute set on their entry with the DN of the password policy entry.
> >
> > For example
> >
> > dn: uid=jsmith,ou=users,ou=int,o=company
> > uid: jsmith
> > cn: jsmith
> > ...
> > pwdPolicySubEntry: ads-pwdId=internalUsers,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=
> > config
> >
> > Then on the policy entry itself, the attribute ads-pwdmustchange must be set TRUE.
> > And he policy must be enabled, ads-enabled=TRUE
> >
> > If you've made changes to the policy, restart the server.
> >
> > Then if an admin, using the bind credentials (uid=admin,ou=system) sets the password for jsmith, the pwdReset attribute is added to their user entry.
> > The next time jsmith binds with their credentials, you get a signal that the password must change in the bind response.
> > Here's some pseudo code:
> >
> > BindRequest bindRequest = new BindRequestImpl();
> > bindRequest.setDn(dn);
> > bindRequest.setCredentials(strPassword);
> >
> > LdapApiService codec = LdapApiServiceFactory.getSingleton();
> > PasswordPolicyDecorator pwCtrl = new PasswordPolicyDecorator(codec,new PasswordPolicyImpl());
> >
> > bindRequest.addControl(pwCtrl);
> > BindResponse bindResponse = connection.bind(bindRequest);
> > PasswordPolicyResponse pw = null;
> > PasswordPolicy pwPolicy = ((PasswordPolicyDecorator)ctrl).getDecorated();
> >
> > if (pwPolicy.hasResponse())
> > {
> > pw = pwPolicy.getResponse();
> > // process password response.
> >
> > if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == ctrl.getPasswordPolicyError())
> > {
> > // this will be true when the pwdRest attr is present on the user.
> > // call your change password code here
> > }
> >
> >
> > }
> >
> > After the jsmith user changes their password (with their credentials) the pwdReset attribute is removed from their entry.
> >
> >
> > Hope this helps.
> >
> >
> > -----Original Message-----
> > From: brock samson [mailto:brock.samson_@hotmail.com]
> > Sent: Thursday, March 05, 2015 12:39 PM
> > To: users@directory.apache.org
> > Subject: pwdMustChange not working
> >
> > i am running apacheds2-M19, and changing pwdMustChange password policy attribute's value from FALSE to TRUE does not have any effect. after server restart and using the typical LdapNetworkConnection.bind() function, and response is marked with SUCCESS. also, despite very good description of pretty much every password policy attribute on your doc site, there is absolutely nothing written about this particular attribute.
> >
>
RE: pwdMustChange not working
Posted by Ca...@ibs-ag.com.
Thanks for your responses. Our logic assigns the pwdPolicySubEntry attribute value for a user from one of many policies.
Please don't take away the ability to write to it :)
-----Original Message-----
From: Kiran Ayyagari [mailto:kayyagari@apache.org]
Sent: Monday, March 09, 2015 6:06 PM
To: users@directory.apache.org
Subject: Re: pwdMustChange not working
On Tue, Mar 10, 2015 at 5:11 AM, Emmanuel Lécharny <el...@gmail.com>
wrote:
> Le 08/03/15 05:33, brock samson a écrit :
> > Carlo,
> >
> > you are correct. pwdSafeModify value was TRUE. so after resetting it
> back to FALSE and restarting, everything is working as you described
> in your last post, thank you!
> >
> > however, the question remains to everyone else about pwdSafeModify
> attribute's value being TRUE and an admin changing some user's
> password via apache studio. as i stated in previous post, such action
> results in an error where apache studio asks for user's original
> password. my question is how to disclose this original password in apache studio?
>
> I strongly suspect that the implemented logic is that it's seen as a
> Modify, thus it expect to have the old value - to delete it - and the
> new one ) to replace it.
>
> The thing is that a user may have more than one password, and on a
> modify operation, changing only one of the passwords will require to
> know whci of the passwords have to be removed (the old one).
>
> Now, considering the passwordPolicy implementation, this makes no
> sense
> : we should only have one single password for a user for the PP to be
> able to manage correctly the password, thus requiring the old password
> is nonsensical.
>
> This is something that need to be fixed.
>
> There is also one other thing that I don't like in the way the PP is
> handled : one should never have to enter the pwdPolicySubEntry
> attribute
>
this attribute is not needed at all unless there is a custom policy to be applied on a user entry.
> in an entry. But this is another problem that requires a full redesign
> off the PP implementation. Something we must discuss, it's not a
> simple task...
>
>
--
Kiran Ayyagari
http://keydap.com
Re: pwdMustChange not working
Posted by Kiran Ayyagari <ka...@apache.org>.
On Tue, Mar 10, 2015 at 5:11 AM, Emmanuel Lécharny <el...@gmail.com>
wrote:
> Le 08/03/15 05:33, brock samson a écrit :
> > Carlo,
> >
> > you are correct. pwdSafeModify value was TRUE. so after resetting it
> back to FALSE and restarting, everything is working as you described in
> your last post, thank you!
> >
> > however, the question remains to everyone else about pwdSafeModify
> attribute's value being TRUE and an admin changing some user's password via
> apache studio. as i stated in previous post, such action results in an
> error where apache studio asks for user's original password. my question is
> how to disclose this original password in apache studio?
>
> I strongly suspect that the implemented logic is that it's seen as a
> Modify, thus it expect to have the old value - to delete it - and the
> new one ) to replace it.
>
> The thing is that a user may have more than one password, and on a
> modify operation, changing only one of the passwords will require to
> know whci of the passwords have to be removed (the old one).
>
> Now, considering the passwordPolicy implementation, this makes no sense
> : we should only have one single password for a user for the PP to be
> able to manage correctly the password, thus requiring the old password
> is nonsensical.
>
> This is something that need to be fixed.
>
> There is also one other thing that I don't like in the way the PP is
> handled : one should never have to enter the pwdPolicySubEntry attribute
>
this attribute is not needed at all unless there is a custom policy to be
applied on
a user entry.
> in an entry. But this is another problem that requires a full redesign
> off the PP implementation. Something we must discuss, it's not a simple
> task...
>
>
--
Kiran Ayyagari
http://keydap.com
Re: pwdMustChange not working
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 08/03/15 05:33, brock samson a écrit :
> Carlo,
>
> you are correct. pwdSafeModify value was TRUE. so after resetting it back to FALSE and restarting, everything is working as you described in your last post, thank you!
>
> however, the question remains to everyone else about pwdSafeModify attribute's value being TRUE and an admin changing some user's password via apache studio. as i stated in previous post, such action results in an error where apache studio asks for user's original password. my question is how to disclose this original password in apache studio?
I strongly suspect that the implemented logic is that it's seen as a
Modify, thus it expect to have the old value - to delete it - and the
new one ) to replace it.
The thing is that a user may have more than one password, and on a
modify operation, changing only one of the passwords will require to
know whci of the passwords have to be removed (the old one).
Now, considering the passwordPolicy implementation, this makes no sense
: we should only have one single password for a user for the PP to be
able to manage correctly the password, thus requiring the old password
is nonsensical.
This is something that need to be fixed.
There is also one other thing that I don't like in the way the PP is
handled : one should never have to enter the pwdPolicySubEntry attribute
in an entry. But this is another problem that requires a full redesign
off the PP implementation. Something we must discuss, it's not a simple
task...
RE: pwdMustChange not working
Posted by brock samson <br...@hotmail.com>.
Carlo,
you are correct. pwdSafeModify value was TRUE. so after resetting it back to FALSE and restarting, everything is working as you described in your last post, thank you!
however, the question remains to everyone else about pwdSafeModify attribute's value being TRUE and an admin changing some user's password via apache studio. as i stated in previous post, such action results in an error where apache studio asks for user's original password. my question is how to disclose this original password in apache studio?
> From: Carlo.Accorsi@ibs-ag.com
> To: users@directory.apache.org
> Subject: RE: pwdMustChange not working
> Date: Fri, 6 Mar 2015 13:29:51 +0000
>
> Brock,
> Not sure about that. The only thing I can think of is you may have the ads-pwdsafemodify set TRUE.
> We looked at this feature a couple years ago and I don't think it was implemented then but it may be now in M19.
> If that's the case, you could try setting it FALSE (and restarting).
> The studio's UI might not have the ability to provide the existing password while changing. I don't know.
> If you post the full stack trace of the exception it may offer better clues. Thanks
>
>
> -----Original Message-----
> From: brock samson [mailto:brock.samson_@hotmail.com]
> Sent: Friday, March 06, 2015 12:19 AM
> To: users@directory.apache.org
> Subject: RE: pwdMustChange not working
>
> Carlo,
>
> thank you for such detailed description.
> i never mentioned in my initial post that i already had pwdPolicySubentry placed as a user's attribute, though its value is pointing to ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=config, which is the ootb password policy. the part that i did not perform was having the admin change that user's password which results in pwdReset attribute being set. yet when i signed in as an admin (uid=admin,ou=system) to apache studio and then proceeded to change a user's (uid=bob,ou=users,o=mycompany) passwod, i got the following error: LdapNoPermissionException: trying to update password attribute without the supplying the old password. do you know what i am doing wrong? should an admin be forced to enter an old password? if that is the case, how do i make apache studio do that? thanks.
>
> > From: Carlo.Accorsi@ibs-ag.com
> > To: users@directory.apache.org
> > Subject: RE: pwdMustChange not working
> > Date: Thu, 5 Mar 2015 19:04:58 +0000
> >
> > Hi, we've been that feature for quite some time to force a user to change their password after it's been reset by an admin.
> >
> > Make sure the user(s) you want this to affect have the pwdPolicySubEntry attribute set on their entry with the DN of the password policy entry.
> >
> > For example
> >
> > dn: uid=jsmith,ou=users,ou=int,o=company
> > uid: jsmith
> > cn: jsmith
> > ...
> > pwdPolicySubEntry: ads-pwdId=internalUsers,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=
> > config
> >
> > Then on the policy entry itself, the attribute ads-pwdmustchange must be set TRUE.
> > And he policy must be enabled, ads-enabled=TRUE
> >
> > If you've made changes to the policy, restart the server.
> >
> > Then if an admin, using the bind credentials (uid=admin,ou=system) sets the password for jsmith, the pwdReset attribute is added to their user entry.
> > The next time jsmith binds with their credentials, you get a signal that the password must change in the bind response.
> > Here's some pseudo code:
> >
> > BindRequest bindRequest = new BindRequestImpl();
> > bindRequest.setDn(dn);
> > bindRequest.setCredentials(strPassword);
> >
> > LdapApiService codec = LdapApiServiceFactory.getSingleton();
> > PasswordPolicyDecorator pwCtrl = new PasswordPolicyDecorator(codec,new PasswordPolicyImpl());
> >
> > bindRequest.addControl(pwCtrl);
> > BindResponse bindResponse = connection.bind(bindRequest);
> > PasswordPolicyResponse pw = null;
> > PasswordPolicy pwPolicy = ((PasswordPolicyDecorator)ctrl).getDecorated();
> >
> > if (pwPolicy.hasResponse())
> > {
> > pw = pwPolicy.getResponse();
> > // process password response.
> >
> > if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == ctrl.getPasswordPolicyError())
> > {
> > // this will be true when the pwdRest attr is present on the user.
> > // call your change password code here
> > }
> >
> >
> > }
> >
> > After the jsmith user changes their password (with their credentials) the pwdReset attribute is removed from their entry.
> >
> >
> > Hope this helps.
> >
> >
> > -----Original Message-----
> > From: brock samson [mailto:brock.samson_@hotmail.com]
> > Sent: Thursday, March 05, 2015 12:39 PM
> > To: users@directory.apache.org
> > Subject: pwdMustChange not working
> >
> > i am running apacheds2-M19, and changing pwdMustChange password policy attribute's value from FALSE to TRUE does not have any effect. after server restart and using the typical LdapNetworkConnection.bind() function, and response is marked with SUCCESS. also, despite very good description of pretty much every password policy attribute on your doc site, there is absolutely nothing written about this particular attribute.
> >
>
RE: pwdMustChange not working
Posted by Ca...@ibs-ag.com.
Brock,
Not sure about that. The only thing I can think of is you may have the ads-pwdsafemodify set TRUE.
We looked at this feature a couple years ago and I don't think it was implemented then but it may be now in M19.
If that's the case, you could try setting it FALSE (and restarting).
The studio's UI might not have the ability to provide the existing password while changing. I don't know.
If you post the full stack trace of the exception it may offer better clues. Thanks
-----Original Message-----
From: brock samson [mailto:brock.samson_@hotmail.com]
Sent: Friday, March 06, 2015 12:19 AM
To: users@directory.apache.org
Subject: RE: pwdMustChange not working
Carlo,
thank you for such detailed description.
i never mentioned in my initial post that i already had pwdPolicySubentry placed as a user's attribute, though its value is pointing to ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=config, which is the ootb password policy. the part that i did not perform was having the admin change that user's password which results in pwdReset attribute being set. yet when i signed in as an admin (uid=admin,ou=system) to apache studio and then proceeded to change a user's (uid=bob,ou=users,o=mycompany) passwod, i got the following error: LdapNoPermissionException: trying to update password attribute without the supplying the old password. do you know what i am doing wrong? should an admin be forced to enter an old password? if that is the case, how do i make apache studio do that? thanks.
> From: Carlo.Accorsi@ibs-ag.com
> To: users@directory.apache.org
> Subject: RE: pwdMustChange not working
> Date: Thu, 5 Mar 2015 19:04:58 +0000
>
> Hi, we've been that feature for quite some time to force a user to change their password after it's been reset by an admin.
>
> Make sure the user(s) you want this to affect have the pwdPolicySubEntry attribute set on their entry with the DN of the password policy entry.
>
> For example
>
> dn: uid=jsmith,ou=users,ou=int,o=company
> uid: jsmith
> cn: jsmith
> ...
> pwdPolicySubEntry: ads-pwdId=internalUsers,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=
> config
>
> Then on the policy entry itself, the attribute ads-pwdmustchange must be set TRUE.
> And he policy must be enabled, ads-enabled=TRUE
>
> If you've made changes to the policy, restart the server.
>
> Then if an admin, using the bind credentials (uid=admin,ou=system) sets the password for jsmith, the pwdReset attribute is added to their user entry.
> The next time jsmith binds with their credentials, you get a signal that the password must change in the bind response.
> Here's some pseudo code:
>
> BindRequest bindRequest = new BindRequestImpl();
> bindRequest.setDn(dn);
> bindRequest.setCredentials(strPassword);
>
> LdapApiService codec = LdapApiServiceFactory.getSingleton();
> PasswordPolicyDecorator pwCtrl = new PasswordPolicyDecorator(codec,new PasswordPolicyImpl());
>
> bindRequest.addControl(pwCtrl);
> BindResponse bindResponse = connection.bind(bindRequest);
> PasswordPolicyResponse pw = null;
> PasswordPolicy pwPolicy = ((PasswordPolicyDecorator)ctrl).getDecorated();
>
> if (pwPolicy.hasResponse())
> {
> pw = pwPolicy.getResponse();
> // process password response.
>
> if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == ctrl.getPasswordPolicyError())
> {
> // this will be true when the pwdRest attr is present on the user.
> // call your change password code here
> }
>
>
> }
>
> After the jsmith user changes their password (with their credentials) the pwdReset attribute is removed from their entry.
>
>
> Hope this helps.
>
>
> -----Original Message-----
> From: brock samson [mailto:brock.samson_@hotmail.com]
> Sent: Thursday, March 05, 2015 12:39 PM
> To: users@directory.apache.org
> Subject: pwdMustChange not working
>
> i am running apacheds2-M19, and changing pwdMustChange password policy attribute's value from FALSE to TRUE does not have any effect. after server restart and using the typical LdapNetworkConnection.bind() function, and response is marked with SUCCESS. also, despite very good description of pretty much every password policy attribute on your doc site, there is absolutely nothing written about this particular attribute.
>
RE: pwdMustChange not working
Posted by brock samson <br...@hotmail.com>.
Carlo,
thank you for such detailed description.
i never mentioned in my initial post that i already had pwdPolicySubentry placed as a user's attribute, though its value is pointing to ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=config, which is the ootb password policy. the part that i did not perform was having the admin change that user's password which results in pwdReset attribute being set. yet when i signed in as an admin (uid=admin,ou=system) to apache studio and then proceeded to change a user's (uid=bob,ou=users,o=mycompany) passwod, i got the following error: LdapNoPermissionException: trying to update password attribute without the supplying the old password. do you know what i am doing wrong? should an admin be forced to enter an old password? if that is the case, how do i make apache studio do that? thanks.
> From: Carlo.Accorsi@ibs-ag.com
> To: users@directory.apache.org
> Subject: RE: pwdMustChange not working
> Date: Thu, 5 Mar 2015 19:04:58 +0000
>
> Hi, we've been that feature for quite some time to force a user to change their password after it's been reset by an admin.
>
> Make sure the user(s) you want this to affect have the pwdPolicySubEntry attribute set on their entry with the DN of the password policy entry.
>
> For example
>
> dn: uid=jsmith,ou=users,ou=int,o=company
> uid: jsmith
> cn: jsmith
> ...
> pwdPolicySubEntry: ads-pwdId=internalUsers,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=
> config
>
> Then on the policy entry itself, the attribute ads-pwdmustchange must be set TRUE.
> And he policy must be enabled, ads-enabled=TRUE
>
> If you've made changes to the policy, restart the server.
>
> Then if an admin, using the bind credentials (uid=admin,ou=system) sets the password for jsmith, the pwdReset attribute is added to their user entry.
> The next time jsmith binds with their credentials, you get a signal that the password must change in the bind response.
> Here's some pseudo code:
>
> BindRequest bindRequest = new BindRequestImpl();
> bindRequest.setDn(dn);
> bindRequest.setCredentials(strPassword);
>
> LdapApiService codec = LdapApiServiceFactory.getSingleton();
> PasswordPolicyDecorator pwCtrl = new PasswordPolicyDecorator(codec,new PasswordPolicyImpl());
>
> bindRequest.addControl(pwCtrl);
> BindResponse bindResponse = connection.bind(bindRequest);
> PasswordPolicyResponse pw = null;
> PasswordPolicy pwPolicy = ((PasswordPolicyDecorator)ctrl).getDecorated();
>
> if (pwPolicy.hasResponse())
> {
> pw = pwPolicy.getResponse();
> // process password response.
>
> if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == ctrl.getPasswordPolicyError())
> {
> // this will be true when the pwdRest attr is present on the user.
> // call your change password code here
> }
>
>
> }
>
> After the jsmith user changes their password (with their credentials) the pwdReset attribute is removed from their entry.
>
>
> Hope this helps.
>
>
> -----Original Message-----
> From: brock samson [mailto:brock.samson_@hotmail.com]
> Sent: Thursday, March 05, 2015 12:39 PM
> To: users@directory.apache.org
> Subject: pwdMustChange not working
>
> i am running apacheds2-M19, and changing pwdMustChange password policy attribute's value from FALSE to TRUE does not have any effect. after server restart and using the typical LdapNetworkConnection.bind() function, and response is marked with SUCCESS. also, despite very good description of pretty much every password policy attribute on your doc site, there is absolutely nothing written about this particular attribute.
>
RE: pwdMustChange not working
Posted by Ca...@ibs-ag.com.
Hi, we've been that feature for quite some time to force a user to change their password after it's been reset by an admin.
Make sure the user(s) you want this to affect have the pwdPolicySubEntry attribute set on their entry with the DN of the password policy entry.
For example
dn: uid=jsmith,ou=users,ou=int,o=company
uid: jsmith
cn: jsmith
...
pwdPolicySubEntry: ads-pwdId=internalUsers,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=
config
Then on the policy entry itself, the attribute ads-pwdmustchange must be set TRUE.
And he policy must be enabled, ads-enabled=TRUE
If you've made changes to the policy, restart the server.
Then if an admin, using the bind credentials (uid=admin,ou=system) sets the password for jsmith, the pwdReset attribute is added to their user entry.
The next time jsmith binds with their credentials, you get a signal that the password must change in the bind response.
Here's some pseudo code:
BindRequest bindRequest = new BindRequestImpl();
bindRequest.setDn(dn);
bindRequest.setCredentials(strPassword);
LdapApiService codec = LdapApiServiceFactory.getSingleton();
PasswordPolicyDecorator pwCtrl = new PasswordPolicyDecorator(codec,new PasswordPolicyImpl());
bindRequest.addControl(pwCtrl);
BindResponse bindResponse = connection.bind(bindRequest);
PasswordPolicyResponse pw = null;
PasswordPolicy pwPolicy = ((PasswordPolicyDecorator)ctrl).getDecorated();
if (pwPolicy.hasResponse())
{
pw = pwPolicy.getResponse();
// process password response.
if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == ctrl.getPasswordPolicyError())
{
// this will be true when the pwdRest attr is present on the user.
// call your change password code here
}
}
After the jsmith user changes their password (with their credentials) the pwdReset attribute is removed from their entry.
Hope this helps.
-----Original Message-----
From: brock samson [mailto:brock.samson_@hotmail.com]
Sent: Thursday, March 05, 2015 12:39 PM
To: users@directory.apache.org
Subject: pwdMustChange not working
i am running apacheds2-M19, and changing pwdMustChange password policy attribute's value from FALSE to TRUE does not have any effect. after server restart and using the typical LdapNetworkConnection.bind() function, and response is marked with SUCCESS. also, despite very good description of pretty much every password policy attribute on your doc site, there is absolutely nothing written about this particular attribute.