You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Richard Lowden (JIRA)" <ji...@apache.org> on 2012/05/16 15:39:02 UTC
[jira] [Created] (DIRSERVER-1726) DefaultPasswordValidator always
throws PasswordPolicyException when consecutive non-letter chars are in RDN
Richard Lowden created DIRSERVER-1726:
-----------------------------------------
Summary: DefaultPasswordValidator always throws PasswordPolicyException when consecutive non-letter chars are in RDN
Key: DIRSERVER-1726
URL: https://issues.apache.org/jira/browse/DIRSERVER-1726
Project: Directory ApacheDS
Issue Type: Bug
Affects Versions: 2.0.0-M6
Reporter: Richard Lowden
When adding an entry with a userPassword attribute and the entry RDN contains two non-letter characters in a row (such as cn=test1@tempuri.com) then a CONSTRAINT_VIOLATION error is always received with the message "Password shouldn't contain parts of the username" regardless of what password you enter.
If you remove the "1" character or the "@" character then the entry will be created successfully
Believe the issue is caused by the regex expressions used within org.apache.directory.server.core.authn.ppolicy.DefaultPasswordValidator, as the String array of tokens will contain an empty string when two non-letter chars are together ("1@" in this case).
Full error message is:
Error while creating entry
- [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUES
javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST
Message ID : 240
Add Request :
Entry
dn[n]: cn=test1@tempuri.com,o=unitTest
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: Smith
userPassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 0x31 '
cn: test1@tempuri.com
: Password shouldn't contain parts of the username]; remaining name 'cn=test1@tempuri.com,o=unitTest'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(Unknown Source)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(Unknown Source)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(Unknown Source)
at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$4.run(JNDIConnectionWrapper.java:658)
at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1203)
at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.createEntry(JNDIConnectionWrapper.java:704)
at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.createEntry(CreateEntryRunnable.java:226)
at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.run(CreateEntryRunnable.java:117)
at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:113)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
[LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST
Message ID : 240
Add Request :
Entry
dn[n]: cn=test1@tempuri.com,o=unitTest
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: Smith
userPassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 0x31 '
cn: test1@tempuri.com
: Password shouldn't contain parts of the username]
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSERVER-1726) DefaultPasswordValidator always
throws PasswordPolicyException when consecutive non-letter chars are in RDN
Posted by "Oldrich Novak (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13429170#comment-13429170 ]
Oldrich Novak commented on DIRSERVER-1726:
------------------------------------------
Yep we found this bug on our project as well.
> DefaultPasswordValidator always throws PasswordPolicyException when consecutive non-letter chars are in RDN
> -----------------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-1726
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1726
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 2.0.0-M6
> Reporter: Richard Lowden
>
> When adding an entry with a userPassword attribute and the entry RDN contains two non-letter characters in a row (such as cn=test1@tempuri.com) then a CONSTRAINT_VIOLATION error is always received with the message "Password shouldn't contain parts of the username" regardless of what password you enter.
> If you remove the "1" character or the "@" character then the entry will be created successfully
> Believe the issue is caused by the regex expressions used within org.apache.directory.server.core.authn.ppolicy.DefaultPasswordValidator, as the String array of tokens will contain an empty string when two non-letter chars are together ("1@" in this case).
> Full error message is:
> Error while creating entry
> - [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUES
> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST
> Message ID : 240
> Add Request :
> Entry
> dn[n]: cn=test1@tempuri.com,o=unitTest
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> sn: Smith
> userPassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 0x31 '
> cn: test1@tempuri.com
> : Password shouldn't contain parts of the username]; remaining name 'cn=test1@tempuri.com,o=unitTest'
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(Unknown Source)
> at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(Unknown Source)
> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(Unknown Source)
> at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$4.run(JNDIConnectionWrapper.java:658)
> at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
> at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1203)
> at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.createEntry(JNDIConnectionWrapper.java:704)
> at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.createEntry(CreateEntryRunnable.java:226)
> at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.run(CreateEntryRunnable.java:117)
> at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:113)
> at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
> [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST
> Message ID : 240
> Add Request :
> Entry
> dn[n]: cn=test1@tempuri.com,o=unitTest
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> sn: Smith
> userPassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 0x31 '
> cn: test1@tempuri.com
> : Password shouldn't contain parts of the username]
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSERVER-1726) DefaultPasswordValidator always
throws PasswordPolicyException when consecutive non-letter chars are in RDN
Posted by "Oldrich Novak (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13437767#comment-13437767 ]
Oldrich Novak commented on DIRSERVER-1726:
------------------------------------------
Hi
I investigated a found the reason. Split method will return empty string if there are 2 non letter characters in user name. For example john2@google.com. This empty string always matched the password.
Please fix DefaultPasswordValidator.java method checkUsernameSubstring( String password, String username ).
Replace : if ( password.matches( "(?i).*" + tokens[ii] + ".*" ) )
For : if (tokens[ii].length()>=3 && password.matches( "(?i).*" + tokens[ii] + ".*" ) )
Author in the method notation describes that tokens should be ignored if they have less then 3 characters, but it is not done anywhere in the code.
Thank You
> DefaultPasswordValidator always throws PasswordPolicyException when consecutive non-letter chars are in RDN
> -----------------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-1726
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1726
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 2.0.0-M6
> Reporter: Richard Lowden
>
> When adding an entry with a userPassword attribute and the entry RDN contains two non-letter characters in a row (such as cn=test1@tempuri.com) then a CONSTRAINT_VIOLATION error is always received with the message "Password shouldn't contain parts of the username" regardless of what password you enter.
> If you remove the "1" character or the "@" character then the entry will be created successfully
> Believe the issue is caused by the regex expressions used within org.apache.directory.server.core.authn.ppolicy.DefaultPasswordValidator, as the String array of tokens will contain an empty string when two non-letter chars are together ("1@" in this case).
> Full error message is:
> Error while creating entry
> - [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUES
> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST
> Message ID : 240
> Add Request :
> Entry
> dn[n]: cn=test1@tempuri.com,o=unitTest
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> sn: Smith
> userPassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 0x31 '
> cn: test1@tempuri.com
> : Password shouldn't contain parts of the username]; remaining name 'cn=test1@tempuri.com,o=unitTest'
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(Unknown Source)
> at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(Unknown Source)
> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(Unknown Source)
> at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$4.run(JNDIConnectionWrapper.java:658)
> at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
> at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1203)
> at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.createEntry(JNDIConnectionWrapper.java:704)
> at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.createEntry(CreateEntryRunnable.java:226)
> at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.run(CreateEntryRunnable.java:117)
> at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:113)
> at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
> [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST
> Message ID : 240
> Add Request :
> Entry
> dn[n]: cn=test1@tempuri.com,o=unitTest
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> sn: Smith
> userPassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 0x31 '
> cn: test1@tempuri.com
> : Password shouldn't contain parts of the username]
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (DIRSERVER-1726) DefaultPasswordValidator always
throws PasswordPolicyException when consecutive non-letter chars are in RDN
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1726?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny resolved DIRSERVER-1726.
------------------------------------------
Resolution: Fixed
Fix Version/s: 2.0.0-M8
Good catch !
Fixed with http://svn.apache.org/viewvc?rev=1393278&view=rev
> DefaultPasswordValidator always throws PasswordPolicyException when consecutive non-letter chars are in RDN
> -----------------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-1726
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1726
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 2.0.0-M6
> Reporter: Richard Lowden
> Fix For: 2.0.0-M8
>
>
> When adding an entry with a userPassword attribute and the entry RDN contains two non-letter characters in a row (such as cn=test1@tempuri.com) then a CONSTRAINT_VIOLATION error is always received with the message "Password shouldn't contain parts of the username" regardless of what password you enter.
> If you remove the "1" character or the "@" character then the entry will be created successfully
> Believe the issue is caused by the regex expressions used within org.apache.directory.server.core.authn.ppolicy.DefaultPasswordValidator, as the String array of tokens will contain an empty string when two non-letter chars are together ("1@" in this case).
> Full error message is:
> Error while creating entry
> - [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUES
> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST
> Message ID : 240
> Add Request :
> Entry
> dn[n]: cn=test1@tempuri.com,o=unitTest
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> sn: Smith
> userPassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 0x31 '
> cn: test1@tempuri.com
> : Password shouldn't contain parts of the username]; remaining name 'cn=test1@tempuri.com,o=unitTest'
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(Unknown Source)
> at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(Unknown Source)
> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(Unknown Source)
> at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$4.run(JNDIConnectionWrapper.java:658)
> at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
> at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1203)
> at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.createEntry(JNDIConnectionWrapper.java:704)
> at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.createEntry(CreateEntryRunnable.java:226)
> at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.run(CreateEntryRunnable.java:117)
> at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:113)
> at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
> [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST
> Message ID : 240
> Add Request :
> Entry
> dn[n]: cn=test1@tempuri.com,o=unitTest
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> sn: Smith
> userPassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 0x31 '
> cn: test1@tempuri.com
> : Password shouldn't contain parts of the username]
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira